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THE U.S. DEPARTMENT OF VETERANS 
AFFAIRS INFORMATION TECHNOLOGY 
REORGANIZATION: HOW FAR HAS VA COME? 


WEDNESDAY, SEPTEMBER 26, 2007 

U.S. House of Representatives, 
Committee on Veterans’ Affairs, 

Washington, DC. 

The Committee met, pursuant to notice, at 9:58 a.m., in Room 
334, Cannon House Office Building, Hon. Bob Filner [Chairman of 
the Committee] presiding. 

Present: Representatives Filner, Snyder, Herseth-Sandlin, Hare, 
Salazar, Walz, Buyer, Stearns, Brown of South Carolina, Brown- 
Waite, Bilbray, and Lamborn. 

OPENING STATEMENT OF CHAIRMAN FILNER 

The Chairman. This meeting of the House Committee on Vet- 
erans’ Affairs is called to order. Today, the Committee will be look- 
ing at the U.S. Department of Veterans Affairs (VA) Information 
Technology (IT) Reorganization: How Far Have We Come? 

Obviously, this is a very important issue. And we will be looking 
at the progress of VA in centralizing its IT efforts. 

We want to explore the progress that the VA has made in its ef- 
forts to be what Secretary Nicholson called the “gold standard” of 
information security among Federal agencies, a goal that was 
enunciated in the wake of a data breach last year that involved 
over 25 million veterans and succeeding incidents including one re- 
cently in Birmingham, Alabama. 

We understand that such a centralization will not happen over- 
night. We are not asking you to do this overnight. But we are ask- 
ing, and our veterans are demanding, that the VA be held account- 
able for getting the job done. 

This past June, the U.S. Government Accountability Office 
(GAO), while praising the commitment from senior leadership, 
found fault with a number of areas in the VA’s efforts, efforts that 
hinder the VA’s ability to successfully reach its reorganization 
goals. 

These include rejecting the GAO’s recommendation that VA cre- 
ate a dedicated implementation team responsible for day-to-day 
management of major change initiatives. Instead, the VA is appar- 
ently dividing the responsibility among two organizations in this 
new structure. And the GAO was concerned that this approach 
would not work. Many of us on this Committee share that sense. 

( 1 ) 
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More recently, GAO reported that out of 17 recommendations 
made by the VA Inspector General (IG), 16 had not yet been imple- 
mented. Implementing these recommendations is essential if the 
VA is to protect private information and meet its obligations under 
the Federal Information Security Management Act (FISMA). 

In the final analysis, we must remember that IT is merely a tool, 
a tool used by the VA in furtherance of its mission of caring for 
veterans. This Committee has continued to work in a bipartisan 
fashion to encourage the VA to centralize its IT efforts. These ef- 
forts, we think, will lead to concrete benefits for both the VA, tax- 
payers, and most importantly, our veterans. 

Our charge is to ensure that while VA is carrying out its mission, 
it does so with the best and most up-to-date technology that the 
21st century provides, while securing that technology from outside 
manipulation and preventing improper disclosure of our veterans’ 
confidential information. 

We must at the same time foster creativity and innovation and 
the use of electronic medical records and other systems that have 
put VA at the forefront of medical care. These are not easy tasks. 
We are heartened by many of the steps the VA has undertaken, 
but remain concerned that more should be done, and could be done, 
at a faster pace. 

We remain hopeful that the VA can simultaneously provide our 
veterans the greatest security, management, and healthcare. Un- 
doubtedly, the efficient and effective management and operation of 
VA IT efforts will result in tangible benefits for our veterans. 

I would yield for an opening statement to the Ranking Member 
of our Committee, Mr. Buyer. And you have 5 minutes. 

[The prepared statement of Chairman Filner appears on p. 55.] 

OPENING STATEMENT OF HON. STEVE BUYER, 
RANKING REPUBLICAN MEMBER 

Mr. Buyer. Thank you very much, Mr. Chairman. First I would 
like to address the issue regarding the Vietnam Veteran’s Memo- 
rial Wall. I was heartbroken to learn about the callous act of van- 
dalism that resulted in the damage to the Vietnam Veteran’s Me- 
morial Wall on September 7th. 

For every person that has ever stood before that wall, you can 
reflect upon your feelings and emotions as you stood before the 147 
black granite panels. I could not help but sense and feel the humil- 
ity of a grateful Nation and how small one feels standing before the 
granite. 

What I will say publicly to the vandal is that you are nothing but 
a coward. These are cowardly acts to stand before that wall and to 
throw such a substance and attempt to deface the Vietnam Vet- 
eran’s Memorial Wall. 

The reality is that despite that act, you have no impact upon his- 
tory. You have no impact upon the families who embraced their 
loved ones, that gave their lives for this country. 

So to the coward, you can either step forward and accept respon- 
sibility for your act or forever crawl back under the rock from 
which you came. 

Right now I would like to thank the Chairman. He and I worked 
together last year along with other Members of the Committee. 
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And I want to publicly thank Mr. Evans, in our efforts to centralize 
the IT architecture within the VA. 

Mr. Chairman, I would like to thank you for responding to my 
request. More in particular, I compliment your timeliness in hold- 
ing this hearing, with the exit and retirement now of the VA Sec- 
retary. I think it is just a wonderful time for us to get an update. 

It is important for us to look back over the past year and see how 
the VA has implemented the instructions given in Public Law 109- 
461 and moved its IT infrastructure to a centralized model. This 
is the first step for any large. Federal department or agency of gov- 
ernment. 

We held a lot of hearings on VA’s data breach, Mr. Filner. And 
so as we talk about the centralization of the IT infrastructure, it 
is also about security assurances. And I can’t — when I think about 
the challenges that the Chief Information Officer (CIO) of the VA 
has, it is extraordinary. 

And so while I compliment you, Mr. Chairman, for holding this 
hearing and getting the input, we also have to be cognizant of the 
task at hand and how long it is going to take to perfect a central- 
ized model. 

And patience is one thing that is going to be very hard for us to 
have, and for me in particular, because of my 7 years of interest 
in the issue. But I recognize how long it is going to take. 

The goal of Public Law 109-461 was to provide the means to 
allow growth and development to move forward with a main cen- 
tral IT structure in which new, improved technologies and meth- 
odologies can be encouraged and shared throughout the VA. The 
new law also brought fiscal discipline to VA IT for the first time. 

What I am interested in finding out today is how the centralized 
model is being implemented. And whether there has been any cul- 
tural resistance from local facilities toward centralizing. 

I am also interested in learning what new technologies are being 
used. How will these technologies enhance the VA’s ability to pro- 
vide faster, better, and safer services to our Nation’s veterans? 
What measures are being used to protect the identity of our vet- 
erans when they seek treatment or benefits from the VA? 

I was very concerned when I learned about the 2006 Federal In- 
formation Security Management Act report being delayed and the 
VA receiving an incomplete in its FISMA reporting requirements. 
I trust that this will not occur again in 2007 reporting period. 

I am also concerned about the continuing problems in IT secu- 
rity, which are detailed in the weekly Network Security Operations 
Center reports received by this Committee. 

The Birmingham VA research breach involves more than a mil- 
lion Medicare and Medicaid providers. I would like to know how 
the IT vulnerabilities that we have seen in VA’s research commu- 
nity are going to be addressed, so that incidents such as this no 
longer occur. 

Last week, the GAO testified before the Senate Veterans’ Affairs 
Committee and made 17 recommendations to the Secretary. Those 
recommendations aimed at improving the effectiveness of VA’s ef- 
forts to strengthen information security practices by developing and 
documenting processes, policies, procedures, and completing the 
implementation of key initiatives. 
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For instance, why is the Veterans Health Administration’s 
(VHA’s) waiver for not encrypting physicians’ laptops and other de- 
vices still in effect? I am looking forward to hearing the status of 
each of these recommendations from both the GAO and the VA. 

Mr. Chairman, I would like to thank the witnesses for coming to 
testify before the Committee, and General Bob Howard who took 
the reins for the VA IT infrastructure during a wave of change. 

I compliment you, sir. It is under his watch that the goals and 
policies set up by Public Law 109-461 are being implemented. And 
I look forward to hearing from you and continue to work with you. 

General, I also want you to rely upon your military experience, 
because once you have made your advance, you have taken ground. 
And now that you have someone leaving, i.e., the Secretary, as an 
agent of change, other individuals are seeking to take ground back. 

So you are going to have to defend. And I recognize that. And 
at the first moment, please pick up the phone, call the Chairman, 
call me. We want to work with you to make sure that you have the 
ability to implement the law. 

And I would say to the witnesses, I had an opportunity last night 
to read your testimony. I have a Commerce Committee hearing on 
my other issue dealing with counterfeit drugs. And so I am going 
to have to excuse myself 
But thank you, Mr. Chairman. 

The Chairman. Thank you. Any other opening statements. Dr. 
Snyder? Mr. Walz? Mr. Brown? Mr. Lamborn? 

All Members have 5 legislative days to revise and extend their 
remarks and all written statements will be made part of the record. 
Hearing no objection, so ordered. 

Our first panel this morning is from the U.S. Government Ac- 
countability Office. Ms. Valerie Melvin is the Director of the 
Human Capital and Management Information Systems Issues Of- 
fice. Mr. Gregory Wilshusen, is the Director of Information Security 
Issues. And accompanying you is Ms. Oliver. If you will introduce 
her, Ms. Melvin. Your written statements will be made a part of 
the record, so if you can keep oral remarks to about 5 minutes, that 
would be great. 

STATEMENTS OF VALERIE C. MELVIN, DIRECTOR, HUMAN 
CAPITAL AND MANAGEMENT INFORMATION SYSTEMS 
ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; AND 
GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECU- 
RITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE; 
ACCOMPANIED BY BARBARA OLIVER, ASSISTANT DIRECTOR, 
HUMAN CAPITAL AND MANAGEMENT INFORMATION SYS- 
TEMS ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE 

STATEMENT OF VALERIE MELVIN 

Ms. Melvin. Mr. Chairman and Members of the Committee, 
thank you for inviting us to discuss VA’s information technology re- 
alignment and actions toward strengthening its information secu- 
rity program. 

With me today, as you have noted, is Mr. Greg Wilshusen, GAO’s 
Director of Information Security Issues, and Ms. Barbara Oliver, 
Assistant Director for VA IT issues. 
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In serving our Nation’s veterans, VA relies heavily on informa- 
tion technology, for which it spends about $1 billion annually. 

However, the Department has long been challenged in IT man- 
agement, having experienced cost, schedule, and performance prob- 
lems in its information systems initiatives, as well as security 
breaches that threaten to compromise sensitive and personally 
identifiable information. 

To provide greater authority and accountability over its re- 
sources, VA is realigning its organization to centralize IT under the 
Chief Information Officer, relying on a defined set of improved 
management processes to standardize operations. VA began this re- 
alignment in October 2005 and plans to complete it by July 2008. 

Over the past year, we have assessed and reported on the re- 
alignment. And just last week, as you noted, released a report on 
the Department’s information security. At your request, our testi- 
mony today summarizes our findings in these two important areas. 

In short, VA has made progress in moving to a centralized struc- 
ture by fully or partially addressing all but one of six critical fac- 
tors that we identified for a successful transformation such as this 
realignment. 

Among its actions, the Department has ensured top leadership 
commitment to the initiative and established a governance struc- 
ture to manage resources. However, it continues to operate without 
a single dedicated implementation team to oversee this important 
change. 

And in addition, while improved IT management processes are a 
cornerstone of the realignment, VA has not kept to its timeline for 
implementing the processes and thus, has not made significant 
progress, having only piloted two of the thirty-six planned proc- 
esses. 

At the same time, VA has ongoing programs and system develop- 
ment initiatives that depend on effective management and use of 
IT resources, the essence of this realignment. Our recent studies 
have noted measures of progress in its efforts. But essential work 
remains, including addressing numerous and longstanding informa- 
tion security weaknesses. 

Our report, released last week, notes that although VA has made 
progress in strengthening information security, much work remains 
to resolve its security weaknesses. 

The Department has undertaken several major initiatives to 
strengthen information security practices and secure personally 
identifiable information, including continuing efforts to realign its 
management structure, establishing an information protection pro- 
gram, and improving its incident management capability. 

Yet while these initiatives have led to progress, their implemen- 
tation has shortcomings. For example, although a new security 
management structure exists, improved security management proc- 
esses have not yet been completely developed and implemented. 

In addition, this new security management structure divides re- 
sponsibility for information security functions between two organi- 
zations, but with no documented process for the two offices to co- 
ordinate with each other. 

Further, the Department has made limited progress in address- 
ing prior recommendations to improve security that we and its In- 
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spector General have made. Although VA has taken certain steps, 
it has not yet completed the implementation of 22 out of 26 prior 
recommendations. 

In summary, Mr. Chairman, VA is making progress on its IT re- 
alignment. But important work remains to ensure that effective 
management processes exist and that its IT programs and initia- 
tives are fully and successfully implemented. 

In our view, an implementation team and established manage- 
ment processes are crucial to the overall success of the realign- 
ment, without which the Department is in danger of missing its 
2008 targeted completion date and of not realizing the potential 
benefits of this initiative. 

Similarly, until the Department addresses the shortcomings in 
its IT security program, it will have limited assurance that it can 
protect its systems and information from unauthorized disclosure, 
misuse, or loss. 

This concludes our prepared statement. We would be pleased to 
respond to any questions that you may have. 

[The prepared statement of Ms. Melvin and Mr. Wilshusen ap- 
pears on p. 57.] 

The Chairman. Thank you. There are no other prepared state- 
ments from the panel? 

Ms. Melvin. No. This is our statement. 

The Chairman. Thank you. And I appreciate you undertaking 
this. It has been very helpful. 

Dr. Snyder, do you have any questions? 

Mr. Snyder. Yes. 

The Chairman. Go ahead. I will wait. 

Mr. Snyder. I think you all make a great contribution in these 
areas. 

I am always struck that somebody like us that can sit on these 
panels and, you know, make — we are prone to make accusatory 
comments about administrative agencies and their failures to do 
certain things. 

I couldn’t do this. I don’t have the skills to do what we are ask- 
ing the VA. Can you all do this? If you were plucked out and put 
in Secretary Nicholson’s slot, could you do this, what you are ask- 
ing this system to do? 

Ms. Melvin. Sir, this initiative is a complicated one. 

Mr. Snyder. Yeah. 

Ms. Melvin. It is one that from its inception, we have noted 
would take a lot of dedication. Was one in which VA was stepping 
out in a way that few other agencies have, in fact, done. 

It is an effort that will require tremendous discipline, tremen- 
dous coordination, and exceptional communication on the Depart- 
ment’s part to ensure that all of its management is involved, all of 
its users are adequately considered. That there is the necessary 
governance in place and the discipline process is in place to ensure 
that this can be undertaken. 

Mr. Snyder. Was that a no? Regardless of 

Ms. Melvin. It means that it is a very complicated process 
that 

Mr. Snyder. I think it is. 
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Ms. Melvin [continuing]. Will require a lot of effort on the De- 
partment’s part. 

Mr. Snyder. I think it is. I think the problem with it too is it 
is complicated. It is a challenge. And you outline, I think, some 
kind of hard attributes of the process. But it is about leadership, 
I think, and getting people to buy into it. 

Did you — have you all looked at what the downside for veterans’ 
healthcare is if these things are not being done? 

Ms. Melvin. Obviously, this overall initiative, it is in place so 
that the Department can have more effective processes for man- 
aging all of the initiatives that it is undertaking. 

Certainly one of those, for example, is its veterans health infor- 
mation system. All of these initiatives are impacted by the efforts 
that are being undertaken and the sense that VA has previously 
operated in a centralized manner. And in moving — I am sorry, in 
a decentralized manner. 

And in moving to centralization, it will be critical to make sure 
that the processes exist so that requirements can be understood ef- 
fectively, identified effectively, and that solutions are in place to 
address them. 

When you are looking at that, obviously there is the chance that 
if this is not undertaken properly, if it is not put in place in a dis- 
cipline manner that allows all of the administration’s IT needs to 
be addressed in a manner that supports the veterans, it could, in 
fact, impact veterans through the systems that are either put in 
place effectively or not put in place effectively. 

Mr. Snyder. I spent several hours sitting in an airport yester- 
day, because of something that happened with Memphis radar that 
shut down planes over several States. There was no — nothing — it 
was earlier at the Little Rock Airport. Nothing was coming in or 
going out. 

And if you had asked us, I would think most of us would say 
well, there has got to be some redundancy in some system — in the 
system. We can handle whatever kind of technical problem. And 
yet,these kinds of things get so complicated that it can be — it can 
get so complicated it is difficult for a group of civilians here to pro- 
vide that kind of oversight. 

So we count on you all to do that for us. And I always struggle 
a little bit about what exactly do I think is the clear next step for 
them to take. What do I think they should be doing. 

And it comes down to me as a matter of almost the personal 
leadership of the people at the top, the people that are at the high- 
est position of leadership at the VA. This has got to be a number 
one priority, maybe second only to veterans’ healthcare, or it is not 
going to get done. 

Why I sometimes read these reports, they almost get so dry, 
which is I think what your approach is. That is what we want you 
to do. But that we forget about the dynamic leadership that can 
make this kind of thing occur through a big system. 

Thank you for your contribution. I don’t have any further com- 
ments, Mr. Chairman. 

The Chairman. Thank you. Mr. Stearns. 

Mr. Stearns. Thank you, Mr. Chairman. I sort of tend to think 
that we can solve this problem. General Motors, a large corpora- 
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tion, is able to keep track of their security. They set up a security 
database with a security chief officer. They are able to coordinate 
with all the plants, not just in the United States but around the 
world. 

IBM, as I understand, is a subcontractor to you folks. And IBM 
has been successful in setting up internally their own IT network. 

So I don’t think it is without the realm of possibility. In fact, if 
the private sector came in and did this, wholly I suspect they could 
get it done. 

I think Dr. Snyder’s probably correct, it is one of leadership. But 
it also inherently difficult with bureaucracies, because it has been 
decentralized. And these bureaucracies are not talking to each 
other. But I am optimistic that you can get it done. 

In May 2006, VA experienced the largest data breach in the his- 
tory of the Federal Government. In January 2007, VA Birmingham, 
Alabama, suffered a breach of unbelievable magnitude involving 
any practitioner that has ever billed Medicare or Medicaid. 

My question is, is the VA data at risk today? Notwithstanding 
where we are, is the VA data at risk today? Can you tell me “yes” 
or “no”? 

Mr. WiLSHUSEN. Yes, it is, sir. 

Mr. Stearns. And is that agreed by all three of you? Was that 
pretty much the unanimous consent of all of you that the VA data 
is at risk? 

Ms. Melvin. Based on my understanding of the work that Mr. 
Wilshusen has done, I would say yes. 

Mr. Stearns. Now, Mr. Wilshusen, why don’t you explain why 
you think it is at risk? 

Mr. Wilshusen. Okay, certainly. First of all, I would like to note 
that VA has made important progress in improving its information 
security practices and policies. However, much more needs to be 
done. 

For example, VA has not yet fully implemented two of our four 
prior recommendations, including one to complete a department- 
wide information security program. 

In addition, it has not yet fully implemented 20 of 22 rec- 
ommendations made by the Inspector General (IG) with regard to 
improving information security. 

For example, it has not yet completed the activities to appro- 
priately restrict access to its information, computer systems, and 
networks. It has not yet implemented appropriate physical security 
safeguards to protect its information technology resources and fa- 
cilities, nor has it ensured that all authorized — that only author- 
ized changes and upgrades have been made to computer programs. 

Until these recommendations are implemented, unnecessary risk 
exists that personal information of veterans and others, including 
medical providers, such as — or such medical providers, will be ex- 
posed to data tampering, fraud, and unauthorized or inappropriate 
disclosure. 

Mr. Stearns. Based upon what you said, would you be willing 
to track the VA’s progress in implementing their consolidation plan 
and report back to us on a regular basis? 

Mr. Wilshusen. Yes, we would. Yes, I would. 
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Mr. Stearns. What are the short-term, mid-term, long-term con- 
sequences and vulnerahilities for the delay in VA’s integration and 
consolidation plan? And I guess — go ahead. 

Ms. Melvin. In terms of VA’s centralization, the concerns that 
we have relate to the extent to which the Department implements 
the critical processes that it has identified for this initiative. 

The Department has identified 36 processes that are critical or 
the foundation I should say to the overall — having an overall dis- 
cipline process in place that allows it to oversee and account for its 
IT investments. 

In the immediate, we noted that the Department has, in fact, put 
a governance structure in place, so that they have some immediate 
levels of responsibility. 

However, in looking out over the initiative as it continues to 
carry out this implementation, we have concerns from a longer 
term relative to how they are actually — or the progress that they 
are making, I should say, in actually fielding the leadership for the 
positions that it has. The extent or the time frame in which it 
would get its management processes in place. 

At the same time that the Department is undertaking this re- 
alignment, as I mentioned in my statement, its systems develop- 
ment initiatives and programs are still being undertaken. 

So in the long term, having this system in place and having it 
in place the sooner the better relative to its impact on the overall 
initiatives that it is undertaking and how effectively it can continue 
to move forward with those project for systems development. 

Mr. Stearns. Have you seen any bureaucratic or cultural push 
back toward this implementation in the administration? 

Ms. Melvin. We have heard through our assessment that there 
has been concern from the clinicians, for example within the Vet- 
erans Health Administration, that in doing this, some of their inno- 
vation will be stifled. 

And I think this is driven by their past experience in the ini- 
tial — the development of the initial VistA system. However, what 
we have stated through our work is that if the Department is able 
to move forward and maintain momentum in terms of having an 
effective communication strategy in place, having the overall lead- 
ership in place relative to the many offices that it has identified. 

For example, they have identified 25 offices that are being put 
in place to implement and execute the 36 management processes 
that will give it a disciplined approach to managing its investments 
and resources. 

However, at the time of our review, those — not all of those offices 
had been filled. I think it is somewhere in the range of probably 
15 or more either had not been filled or had been filled only in an 
acting capacity. 

Our concern with that is that without the stable leadership, the 
Department does not put itself on a solid and a sustainable founda- 
tion for being able to carry through with the realignment itself. 
And then certainly to execute all of the processes that are nec- 
essary to carry out its investments and its projects. 

Mr. Stearns. Thank you, Mr. Chairman. 

The Chairman. Thank you. Mr. Walz, your witness. 
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Mr. Walz. Thank you, Mr. Chairman. And thank you to each of 
you for being here. It is a very important service that you provide. 
And every time we testify in this Committee, I think it is very im- 
portant for us to always remember the ultimate goal here is the 
service to our veterans and making sure that is possible. 

And I think I associate myself with Mr. Snyder — Dr. Snyder’s 
comments on this. It is all too easy to point fingers at this. And 
this is a — this is a large task. 

And I also associate myself to a certain degree with my col- 
league, Mr. Stearns, that I believe this can be fixed. Although his 
faith in the private sector, seems to forget the letter that I received 
in June of 2005 when my MasterCard data, along with 40 million 
others, were compromised. 

So it cuts both ways. It is a difficult task. But it is one that I 
think we are hitting on, and some of the questions got asked. But 
I just have two questions that I am concerned about. 

I represent the Southern Minnesota district that includes the 
Mayo Clinic. And I have had a lot of talks on this issue, on the VA 
side of things, on the quality of the VistA system and their medical 
records, which is arguably the best in the world. 

My concern is, and you hit on it to a certain degree, do you have 
a concern that any of this is going to be the movement forward we 
have had on the VistA system, the electronic medical records, and 
our push to seamless transition with the U.S. Department of De- 
fense (DoD) is going to be affected by this realignment? If you could 
comment on that in your opinion. 

Ms. Melvin. Obviously, in undertaking the realignment, the key 
will be making sure that the Central Office of Information and 
Technology, which is the key point at which the centralization is 
taking place, is in touch, if you will, with the administration, in 
this case the Veterans Benefits Administration (VBA). I’m sorry. 
Veterans Health Administration. 

And what we have seen in our work and what we have advocated 
through the success factors that we have emphasized as a part of 
our most recent study, was the need for the Department to have 
adequate communication and a balance relative to ensuring that 
the requirements, the needs of the administrations, are adequately 
identified, heard, and dealt with as a part of the overall efforts that 
are undertaken. 

Obviously, that means that the Department has to get in place 
its main office that is identified to serve as the conduit of commu- 
nication between the administrations and the central office. 

At the time of our assessment, that office had not been staffed 
and its leadership had not been put in place. So we view that as 
critical to making sure that they have the necessary balance for 
making — for ensuring that administration needs are identified, 
that solutions are identified to address those needs, and that there 
is a necessary follow up to ensure that the delivery takes place in 
terms of services provided through the IT that the central office 
supports. 

Mr. Walz. And my — just my final question here. And this is I 
guess a bit more subjective. I come from — my background is in cul- 
tural studies and this issue of culture or what is there. I know 
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when the issue came out of the data breach, I also received a letter 
on that as a veteran for my data breach. 

And it seemed like at that point though there was a slowness to 
it, a reluctance to move on this. Do you get a feeling, and this as 
I said is very subjective? I have complimented many of the Mem- 
bers who have taken over on this in a very difficult time. 

And I feel that there is a — maybe there is a shift in the culture 
of understanding this. And I am convinced that this is central be- 
fore we can move forward, if they really understand that. If you 
may — if you could comment on that. 

Ms. Melvin. I would agree with you. Definitely key to this is the 
cultural transformation that is necessary, along with the actual im- 
plementation of new processes. 

Key to that, again, as I have mentioned earlier, is communica- 
tion. We do feel that that is one of the critical aspects that has to 
take place. In our work, we found that the Department has taken 
some efforts toward trying to improve its communication in dealing 
with the administrations. 

But there is still more work that can be done through ensuring, 
as I mentioned earlier, that its business relationship management 
office is staffed up. That the necessary individuals are in place in 
positions there to serve as the conduit of communication, through 
actual information sharing and making sure that the users under- 
stand what it is that the Department is trying to accomplish and 
how they plan to do that. And the impact of how that change to 
centralization will affect the Department from the standpoint of 
identifying business requirements, addressing the requirements. 

Only until they have had an opportunity to really communicate 
and reach agreement and understanding on those aspects will 
there be a cultural change, will there be what I would say is more 
user buy into this overall initiative. 

Mr. WiLSHUSEN. And I would just add from an information secu- 
rity perspective that the tone at the top has increased significantly 
with regard to taking corrective actions to implement effective se- 
curity controls since the May 2006 data theft. 

I think that was a watershed event, which really caused and 
highlighted the need for strong information security control. And 
we have seen a shift throughout the entire organization in the 
terms of — particularly with reporting incidents of potential data 
breaches or loss of information. Just prior to and subsequent to 
that May 2006 event, for example, the number of reported inci- 
dents doubled over the 5 months following it, versus the 5 months 
preceding that point. 

In addition, the number of initiatives that the VA has under- 
taken to improve security, and they are making progress. Many of 
them have not yet — many of those initiatives have not yet been 
completed. But they are taking steps to implement stronger con- 
trols. 

Mr. Walz. Great. Well I thank you. I yield back, Mr. Chairman. 

The Chairman. Mr. Brown, any questions? 

Mr. Brown of South Carolina. Thank you, Mr. Chairman. And 
thank you to the witnesses for coming this morning. I know this 
is a major concern of mine and of course of all the veterans around 
the country. 



12 


Do you think we are — we are better off today than we were back 
in 2006? 

Mr. WiLSHUSEN. With regard to the 

Mr. Brown of South Carolina. Security. 

Mr. WiLSHUSEN [continuing]. Security of 

Mr. Brown of South Carolina. Right. 

Mr. WiLSHUSEN [continuing]. Their personal information, I be- 
lieve VA has taken steps to improve information security. And 
these steps include encrypting the information on thousands of 
laptops, initiating a remedial action plan to identify and to take 
corrective steps to improve the security controls, but much more 
still needs to be done. 

There are still significant and unnecessary risks to veterans’ in- 
formation. But I believe that they are taking steps in the right di- 
rection. 

Mr. Brown of South Carolina. Do we have a system in place 
that we can identify if there is a breach at some point in time? 

Mr. WiLSHUSEN. Well there are technical controls that are avail- 
able to look for and to detect anomalous behavior and whether or 
not there have been breaches, if you will, or intrusions into the sys- 
tems in networks of VA. 

VA, I believe, is in the process of acquiring and installing intru- 
sion prevention systems on various devices that will help prevent 
and to detect such occurrences. 

Mr. Brown of South Carolina. Well I believe in the past we 
have had like people taking their laptops home and this sort of 
thing. So I was just trying to 

Mr. WiLSHUSEN. That is correct. And that is why the physical se- 
curity controls and the use of encryption on portable media and 
laptops is so important, because you correctly state that many of 
the or several of the most significant security breaches were the re- 
sult of physical theft of equipment. 

And so it is important that VA first inform and train their staff 
on what the proper controls are over that equipment and over that 
information and to put in the appropriate controls to prevent them 
from occurring. 

Mr. Brown of South Carolina. And how long do you think it 
will take to implement a system that we can feel comfortable with 
that our records are secure? 

Mr. WiLSHUSEN. VA, in its remedial action plan, has identified 
over 400 action items in which it is undertaking to improve various 
different aspects of information security. 

Some of those actions extend out to June — or I am sorry, out to 
2009. Even upon completion of those actions, many of which are to 
develop or update a policy or procedure, the true test of deter- 
mining whether or not the agency has effective information secu- 
rity controls is whether or not they effectively execute those poli- 
cies and procedures. 

And, as my father once told me, and I am paraphrasing him now, 
“The road to insecurity is paved with good intentions.” And devel- 
oping policies and procedures shows what the management’s inten- 
tions are with regard to securing information. 
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But it gets down to the detail of actually implementing those on 
a sustainable, ongoing and consistent basis throughout the organi- 
zation. 

Mr. Brown of South Carolina. We don’t recognize the cultural 
education we must perform. Is there anything that we can do as 
Members of Congress to help expedite that process? 

Mr. WiLSHUSEN. Well, one, the passage of the Veterans Benefits 
Healthcare and Information Technology Act of 2006, I think, was 
a positive step forward. And in addition to holding these types of 
hearings, holding VA officials accountable for their actions and 
maintaining a dialog with them, with you and your staffs with the 
VA officials to assure that appropriate actions are being taken. 

Mr. Brown of South Carolina. Thank you very much. 

Mr. WiLSHUSEN. You’re welcome. 

The Chairman. Ms. Herseth Sandlin. 

Ms. Herseth Sandlin. Thank you, Mr. Chairman. Thank you for 
your testimony today. I would like to pick up a little bit where Mr. 
Stearns had asked your willingness, GAO’s willingness, to track 
the VA’s progress and report back. And you had answered “yes.” 
And I appreciate that. 

But let me ask you this, I assume that in doing that, your job 
would be easier if the VA would actually dedicate an implementa- 
tion team to manage the change, so that you had a team you were 
directly working with, which is the team within the Department 
that’s supposed to be tracking the progress and managing the 
change. 

So could you confirm for me that the VA has not yet acted on 
that critical success factor? 

Ms. Melvin. As it pertains to the realignment initiative, the VA 
has not put what we would desire to see in terms of a single dedi- 
cated implementation team to manage that overall effort. 

It does have multiple offices designated to oversee the realign- 
ment effort. Our concern is that there is not a single body that is 
dedicated to ensuring that there is the necessary oversight for 
the — managing, for example, the schedule against goals and time- 
frames for accomplishment. Identifying shortfalls and being able to 
ensure that there is a consistent coordination throughout the De- 
partment relative to how these are handled. 

We feel that it is important also in terms of having some consist- 
ency through leadership changes that occur so that the Department 
has a voice that speaks for the overall realignment. And that en- 
sures, from an oversight perspective, that it is occurring as it 
should. 

Ms. Herseth Sandlin. So I think you answered my other ques- 
tion. There is no timetable other than the July 2008 date upon 
which this is to be completed. But there are no quarterly objectives. 
There is no, as you said, single entity in place to help set the objec- 
tives, track the progress. 

What has been the Department’s reaction to your concern about 
the lack of that type of entity that would help effectively manage 
the transformation? 

Ms. Melvin. The Department has stated that it is taking some 
actions, for example, toward business processes in terms of identi- 
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fying timeframes. And they prioritized some of those. But we have 
not seen specific dates attached to those. 

But when it comes to the realignment team in and of itself, the 
Department has effectively stated that it would agree to disagree 
with us on the need for a single dedicated team. 

They have not indicated that they wouldn’t have multiple teams 
working. But, again, our desire would he to see a single dedicated 
team that can ensure a coordinated oversight for this initiative. 

Ms. Herseth Sandlin. Well, Mr. Chairman, I would just suggest 
that in light of the Secretary’s resignation, and of course our con- 
tinued hope that there is the tone at the top with the Under Sec- 
retary’s, the deputy assistant secretaries, to improve the system. 

I actually think that given the transition here, the lack of stable 
leadership at the top. And I do think Secretary Nicholson, working 
with this Committee, working with the Ranking Member, working 
with Committee Staff last year when this problem presented itself 
and how we go about the information security objectives, I was 
very committed to it. 

My concern is the transition. And so I think it highlights the im- 
portance of a single dedicated board, governance board, within the 
VA in light of that transition. And would hope that with our over- 
sight that we can, with the testimony we will be hearing from the 
later panels, continue to work with them to — if you would agree. 

And if the Ranking Member and Mr. Stearns and other Members 
of the Committee agree with the GAO assessment as I do, that a 
single dedicated entity is of the utmost importance in helping man- 
age the transformation that we work through our oversight and our 
discussions with the VA to see that that would happen to try to 
stay as on top of the July 2008 deadline as possible. 

And I would yield back. 

The Chairman. Thank you. Just to follow up, I mean, when you 
say you have agreed to disagree, is there a reason? What is their 
reason? 

Ms. Melvin. I think they can best answer that. But in talking 
to them through our assessment, they feel — felt strongly that the 
offices that they are putting in place, and they have identified two 
specific offices, they feel that those offices are capable of providing 
the necessary oversight and coordination for this effort. 

Our concern is that this is an extremely large initiative that in- 
volves many processes, that involves many layers of management 
and the need for solid and extensive communication throughout the 
organization. And certainly established timeframes that can be 
monitored closely and that the organization have some consistency 
in how it measures and tracks performance toward achieving its 
overall goal for 2008. 

The Chairman. And of the two major teams, one of them is — its 
top position is vacant, right? 

Ms. Melvin. Yes, that’s correct. 

The Chairman. Thank you. Mr. Bilbray. 

Mr. Bilbray. Thank you, Mr. Chairman. You know, Mr. Chair- 
man, all the concerns about the information systems kind of re- 
minds me of the fact that ever since man started messing with 
technology, there has been a fear of it, and a threat of it, and, obvi- 
ously, an opportunity. 
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I mean, fire would be a good example. I think that there are a 
lot of people in Washington if they had been the caveman with the 
first fire, it would have been outlawed, restricted, and banished 
from the world. 

I think the keys we are looking for though is that we first of all 
needed something that is expandable and transformable. It has got 
to be able to adapt to the situations. 

And actually the Chairman and I went through years in local 
government working the same issue, the city of San Diego, trying 
to work out emergency response information systems, the county 
doing the same thing. And Mr. Chairman, I would just like to let 
you know that though you worked hard at the city, the city now 
has accepted that the county system is so much more effective and 
is adopting that system for their emergency information system. To 
have — I can’t pass up the chance to take a cheap shot. 

My question to you though, the laptop situation was sort of inter- 
esting. With all the encryption on there, wouldn’t it be so much 
more secure if with these mobile information modes, that only the 
person who is authorized to use that or who supposedly has it dele- 
gated to them, if the technology was there to where only they could 
activate the system, wouldn’t that be even a step further in secur- 
ing the information of the veterans? 

Mr. WiLSHUSEN. Yes, it is. Certainly that would be like the first 
step in protecting sensitive information is to make sure that only 
those individuals who have a legitimate business need for access 
have access. 

And once that is granted, then to have other controls to enforce 
that level of access. And then also to protect the information such 
as using encryption and other technologies to protect it — while it 
is being stored on laptops and other devices. 

Mr. Bilbray. How many of our mobile and how many of our sta- 
tionary now are going or do have biometric access control systems? 

Mr. WiLSHUSEN. I don’t know the precise number in terms of 
how many of the laptops or other devices have biometric capabili- 
ties on them at VA. 

Mr. Bilbray. Many laptops have as an option biometric access 
that have had it for over a decade. And after what happened with 
the laptops, I just think it is almost like any businessman would 
say we are going to go to this option now, just as a matter of fact. 

And I would really challenge, if we haven’t done it, why we 
haven’t done it. And really look at the fact that here are those sim- 
ple little things that the private sector would be doing at the snap 
of a hat. But we are always lagging behind in the hope that we will 
go over to that. 

I mean, frankly, I don’t know of a major manufacturer of a laptop 
who does not provide the option that a thumbprint can be used as 
the primary access before the machine would even turn on. And I 
would sure like to see if we are moving forward with those little 
things that can really make a difference. 

If somebody steals a laptop and can’t even turn the thing on, 
that is even better than encryption control. 

I yield back, Mr. Chairman. 

The Chairman. Thank you. Mr. Hare. 
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Mr. Hare. Thank you, Mr. Chairman. I apologize for getting here 
a little bit late. I had another meeting. So if you have covered 
these, I hope you will bear with me. But I am just interested in 
the answers that you might have here. 

What are the main reasons that you found for lack of a single 
integration team to oversee this implementation? 

Ms. Melvin. The main reason was that the Department, as I 
mentioned earlier, just felt that it had the necessary offices in place 
to carry out the oversight and monitoring of the implementation. 

But, again, as was stated previously, one of those offices is va- 
cant at this time. And our concern is that with the magnitude of 
this overall effort, there is a need for a coordinated oversight 
through a single dedicated implementation team. 

Mr. Hare. Do you think there is a correlation between the lack 
of staffing in these key leadership positions and the delay in estab- 
lishing the management processes? 

Ms. Melvin. I think it is certainly — if it has not had an impact, 
will have an impact on the Department’s ability to meet its time- 
frames for getting the processes in place. The individuals that it 
has identified and the offices that it has identified are the ones 
that are supposed to implement and execute these processes. 

The Department has acknowledged that they are behind in doing 
that. But we do feel strongly that it is important to have the staff 
there to carry out the processes or you are unlikely to have a dis- 
ciplined approach to managing the investments and resources. 

Mr. Hare. What other hitches do you think — what are the other 
hitches that are causing the delay in developing the 36 manage- 
ment processes? 

Ms. Melvin. I am sorry, what are the delays? 

Mr. Hare. What other hitches are causing do you think 

Ms. Melvin. The issues that are causing it? 

Mr. Hare. Uh-huh. 

Ms. Melvin. What — in talking with VA’s management, we were 
told that — and quite frankly they do recognize that they are behind 
in implementing the processes. What they identified were some 
concerns relative to really the definition of the processes that the 
contractor recommended for them. And the need to redefine and re- 
assess what those processes were relative to their offices in place. 

Also they identified the need to really look at the processes rel- 
ative to responsibilities and ensuring that they clearly discerned 
which offices would be responsible for key activities under those 
processes. 

And in some cases, they are still clarifying who has key respon- 
sibilities. The Office of Information and Technology won’t have full 
responsibility, for example, for all of the financial management 
processes, as the Department has an office of management that 
oversees its overall budget. So they are working through those 
issues. 

And then as you mentioned earlier, a key concern of ours was 
the — that the 25 or so offices that they have identified to imple- 
ment and execute the processes have not yet been fully staffed and 
don’t all have full leadership to direct them. 

Mr. Hare. Have they indicated when they would be staffed? 

Ms. Melvin. When they will be staffed? 
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Mr. Hare. Mm-hmm. 

Ms. Melvin. We did not get information on when they would he 
staffed. 

Mr. Hare. Okay. 

Ms. Melvin. They did indicate that they were looking into the 
staffing. That they saw this as a difficult process that they would 
need to work through. 

Mr. Hare. Thanks. And my last question is how much collahora- 
tion and communication did you find that there is or is not between 
the two implementation teams? 

Ms. Melvin. I believe that the implementation teams are collabo- 
rating with one another. I don’t think our assessment looked fully 
at exactly how all of the collaboration is occurring. 

We do maintain, however, that there has to be collaboration 
across those. And it has to be extensive relative to the processes, 
relative to the overall staffing of the offices that need to take place. 

Again, however, from our standpoint, we would like to see more 
assurance that there is the necessary coordination that would be 
gained through having a single devoted body to overseeing this ef- 
fort. 

Mr. Hare. Okay. Thank you very much. I yield back, Mr. Chair- 
man. 

The Chairman. Thank you. Ms. Brown-Waite. 

Ms. Brown-Waite. Thank you very much. I had votes in Finan- 
cial Services. And that is why I was late. 

I don’t care which one answers this. And you may or may not 
have the information with you. But I understand the VA says that 
they have encrypted 16,000 laptops. Is that correct? 

Mr. WiLSHUSEN. I am not aware of that particular number. But 
they have an initiative underway where they are encrypting thou- 
sands of laptops. I don’t know if 60,000 is the correct number. 

Ms. Brown-Waite. No, 16. 

Mr. WiLSHUSEN. Oh, 16. 

Ms. Brown-Waite. That they have encrypted 

Mr. WiLSHUSEN. Okay. 

Ms. Brown-Waite [continuing]. 16,000, which brings me to the 
other part of my question. If it is 16,000, that is out of how many 
laptops that the VA has? 

Mr. WiLSHUSEN. Well 

Ms. Brown-Waite. Do you 

Mr. WiLSHUSEN [continuing]. The total number of laptops, I don’t 
have that information. But I do know there is a sizable number of 
laptops that have not been encrypted. Many of these are being con- 
sidered medical devices. 

And right now the VA’s policy is not clear as to which devices 
or laptops should, in fact, be encrypted. And that is one of the rec- 
ommendations that we are making that they clarify that policy. 

Ms. Brown-Waite. So medical information may be out there 
without encryption. Is that what you are 

Mr. WiLSHUSEN. That would be the case. 

Ms. Brown-Waite. Okay, another question. There are many in- 
stances where there are laptops not owned by the VA but used by 
VA personnel, and/or perhaps contractors, or the VA research com- 
munities. Are they still unencrypted? 
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Mr. WiLSHUSEN. I don’t know. Our assessment did not look at 
the encryption of non-VA equipment. But if individuals or contrac- 
tors have sensitive Veterans Administration information or sen- 
sitive veterans’ information on them, on behalf of VA, those laptops 
should be protected to the same level as required by VA. 

Under the Federal Information Security Management Act, VA is 
responsible for assuring that the systems and equipment that are 
being operated on its behalf by others, should be protected to pre- 
vent and protect against unauthorized use, access, and disclosure 
of information. 

Ms. Brown-Waite. Let me ask another question. There is a pro- 
gram out there that you can buy. It is called “Go to My PC.” If a 
VA employee is at home and uses this kind of a “Go to My PC,” 
and there may be confidential information on their personal com- 
puter (PC) at the VA workplace, can they gain access to their PC 
in the VA workplace from a remote location? 

Mr. WiLSHUSEN. Well I am not familiar with the specific pro- 
gram, but — that you mention. But certainly implementing appro- 
priate controls over remote access to VA information on VA devices 
is a consideration that VA needs to address and implement appro- 
priate controls. Obviously, there are a number of individuals within 
the VA community that do access information remotely. And assur- 
ing that those — that VA has implemented remote controls is very 
important. 

Ms. Brown-Waite. And you have brought this to their attention? 

Mr. WiLSHUSEN. We and the Inspectors General. One of the 
vulnerabilities to VA systems is the access to data systems and net- 
works. And that is a vulnerability that has been long standing in 
nature. And VA is taking certain actions to help improve its net- 
work security. But those actions are still on going and underway. 

Ms. Brown-Waite. Thank you very much. I yield back the bal- 
ance of my time. 

The Chairman. Thank you. And, again, thank you for your re- 
port. You know, we talk with regard to the Iraqi War about bench- 
marks. And I couldn’t imagine anybody doing worse than our gov- 
ernment in meeting those benchmarks in Iraq. Except now you 
have an agency that has done even worse. 

As I read your report, out of the 36 management processes that 
were set out to have been completed, out of the 17 recommenda- 
tions of the Inspector General, one has been completed. 

I am amazed. Here we are, almost a year and a half after this 
crisis. And it is as if once the crisis passed, everything goes back 
to normal. I still don’t understand the lack of progress on this. It 
is as if well, you know, we have had our hearings, so they will for- 
get about it. And we don’t have to do much. 

Again, I don’t know what the reason for it is. You talked about 
25 or so key positions to deal with this. And you estimate around 
15 are vacant. Two implementation teams that have split respon- 
sibilities. Security still a major concern. 

I mean, if you had to summarize the reasons for this lack of 
progress, how would you do so? Is it lack of leadership? Is it lack 
of resources? What is going on here that we are, a year and 4 
months or 5 months after this incredible problem and we haven’t 
made very much progress it sounds like? 
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Ms. Melvin. I would start by saying that the Department’s top 
leadership has certainly committed to this particular effort. 

What we found, I think, when we look across VA and our work 
over the agency in the past times, one of the things that we have 
noted has been just overall project management as being an issue 
that the Department has to deal with. It is something that they 
have grappled with over time. 

In this particular case, again, I would say that, you know, this 
is a very complex effort. It does require a lot of coordination. It 
does require a lot of communication on the Department’s part. 

And I think in terms of the actions that they are taking through 
their overall project management steps to lead this effort and to 
guide it through, there have been things that the Department 
needs to still address. Certainly in getting its leadership in place, 
knowing what resources it has, and to make sure that those re- 
sources are there to help it carry through with the implementation 
until they get some of those basic processes for communication, for 
leadership addressed and the staffing in place, the Department is 
at risk that it won’t be able to get its disciplined approach in place 
through the 36 processes that it still has to implement. 

The Chairman. Well, it may be complex. But this is not rocket 
science. And Mr. Stearns said it. These are rather ordinary prob- 
lems that every company faces every single day in our society, 
every Nation faces it. 

Has the VA used consultants from the private sector on all this? 
They must have. If I were the Secretary or the President, of course 
we would be better off if that were the case, I would call in Bill 
Gates or somebody from Microsoft and say, “Look, as your contribu- 
tion to the national security of our Nation, fix this for us as a dona- 
tion.” I am sure they would do it. I think in 90 days they could 
solve this problem. 

Mr. Stearns. Bill Gates could probably 

The Chairman. Yes. 

Mr. Stearns [continuing]. Bring in his team. I can’t resist, Mr. 
Chairman. Are you recommending immediate withdrawal? 

The Chairman. From Iraq or from the VA? 

Mr. Stearns. The VA. 

The Chairman. Immediate redeployment. 

Mr. Stearns. Redeployment, okay. 

Ms. Melvin. Mr. Chairman, in response to your comment, I 
would state that during our assessment, where we saw the Depart- 
ment’s realignment contractor very much involved with this effort 
and taking a dedicated stand relative to helping the Department 
define its processes and get to a certain point, we did feel that the 
Department was making progress on this effort. Our concern is as 
the Department continues to move forward, that it has the nec- 
essary leadership in place, that it has the necessary staffing and 
communication in place to sustain the effort to not backtrack, if 
you will, through not having a coordinated oversight for this effort. 

So we have seen some progress in the past. But certainly we 
would agree that there is a tremendous amount of effort that is 
still necessary. And it does take sustained and dedicated leadership 
oversight, accountability, and appropriate communications to make 
that happen. 
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The Chairman. Mr. Stearns has suggested shock therapy to 
this — to the culture. And I guess we want to know what kind of 
shock can we administer? 

Mr. Stearns. What could we as the Members of Congress here 
do? I mean, we are asking some very difficult questions. And we 
are sort of frustrated, as you can expect here. What could we, as 
Members of Congress, do to sort of expedite this? 

You are alluding to the fact that this culture is — everybody is 
protecting their own turf. And this bureaucracy is so immense that 
no one can get through it. 

We don’t even know how many laptops there are. So if you don’t 
know how many laptops there are, you don’t have any idea how big 
the problem is. 

So considering what the GAO found. Chairman Filner’s correct. 
Two of six critical success factors identified as essential to success- 
ful transformation have been accomplished. But that leaves four 
that have not. 

And as mentioned earlier, 22 of the 26 recommendations from 
the Department’s Inspector General have not been implemented. 
So only four have. 

And it goes on to even caution its limited assurance that it can 
protect its system and information from the unauthorized disclo- 
sure, misuse, or loss of personal, identifiable information. I mean, 
that is a pretty strong statement. 

And here we are frustrated, because we have been having hear- 
ings on this. We talked about it. And so, I mean, is there anything 
that the U.S. Government elected official should do that we are not 
doing? 

Ms. Melvin. I think beyond the oversight, that you should con- 
tinue, obviously, there is room for looking at particular cases in 
terms of how VA actually implements this process. 

And really perhaps taking — making some dedicated case studies, 
if you will, of how this effort really plays out and the impact of the 
realignment efforts on key initiatives that the Department might 
be undertaking would be an approach to really getting a handle 
and a good feel for just how effectively the realignment is being ex- 
ecuted. 

Mr. Stearns. Thank you, Mr. Chairman. 

The Chairman. As you heard, there are bells for votes that we 
have to take. Just two votes. So we are going to have to recess. We 
do appreciate the expertise of the GAO in this matter. We would 
ask you not to be shy about recommending things that we might 
do in the future. 

And I will say to the next panel, which is the VA, you are going 
to have now 20 minutes before we get back here. Throw away your 
prepared remarks. And deal with these questions in a candid way. 

I mean, what is going on with all these vacancies? Why can’t, if 
Mr. Bilbray is right, a simple thing like biometrics be used? Why 
has there been slow implementation of all these recommendations? 
What is your reason for these two implementation teams? Why is 
security still a risk? 

These are questions that every veteran has assumed that we had 
taken care of after the crisis. And they — we are the representatives 
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of those veterans for assuring them that. And now it turns out we 
can’t assure them that that is the case. 

So I would like you to address those issues in just a common 
sense way without hiding behind all the bureaucracy. And let us 
have a conversation when we return in about 15 minutes for the 
second panel. 

Thank you so much for the 

Ms. Melvin. Thank you, Mr. Chairman. 

[Recess.] 

The Chairman. We will continue this meeting of the House Com- 
mittee on Veterans’ Affairs and move on to panel two who we 
thank again for their contributions to this discussion. 

We welcome Assistant Secretary for Information and Technology 
at the Department of Veterans Affairs General Howard. And Mr. 
Claudio is the Executive Director for the Office of IT Oversight and 
Compliance. 

To summarize what I had said earlier, Mr. Howard, you are a 
General. Just give the orders and make it happen. You are on. 

STATEMENTS OF HON. ROBERT T. HOWARD, ASSISTANT SEC- 
RETARY FOR INFORMATION AND TECHNOLOGY AND CHIEF 
INFORMATION OFFICER, OFFICE OF INFORMATION AND 
TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS; 
AND ARNALDO CLAUDIO, EXECUTIVE DIRECTOR, OFFICE OF 
IT OVERSIGHT AND COMPLIANCE, OFFICE OF INFORMATION 
AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AF- 
FAIRS; ACCOMPANIED BY ADAIR MARTINEZ, DEPUTY AS- 
SISTANT SECRETARY, INFORMATION PROTECTION AND 
RISK MANAGEMENT, OFFICE OF INFORMATION AND TECH- 
NOLOGY; AND CHARLES DE SANNO, ASSOCIATE DEPUTY AS- 
SISTANT SECRETARY OF INFRASTRUCTURE ENGINEERING, 
OFFICE OF INFORMATION AND TECHNOLOGY, U.S. DEPART- 
MENT OF VETERANS AFFAIRS 

STATEMENT OF ROBERT T. HOWARD 

General Howard. Sir, you had mentioned earlier that you didn’t 
want me to give an opening statement, so we can dispense with 
that. You mentioned earlier not to give an opening statement 
so 

The Chairman. No, I just 

General Howard [continuing]. I dispensed with that. 

The Chairman. However you feel you can — you want to deal with 
this. 

General Howard. Okay, sir. 

The Chairman. I was just making a suggestion. 

General Howard. Yes, sir. There are two other individuals at the 
table with me this morning, sir: Adair Martinez is my Deputy As- 
sistant Secretary for Information Protection and Risk Management, 
and Charlie De Sanno to my far right is the Director of Region IV 
and also Infrastructure Engineering. So they are here with us as 
well. 

I will read my testimony. I can get into addressing the issues as 
you requested. And first, sir, I don’t know if you noticed or not, 
when you were giving your opening statement, I had to leave the 
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room and my apologies for that. I had to take a phone call from 
the Secretary in fact. 

Sir, where would you like me to begin? I think perhaps a good 
start point would be the issue of the processes, because, obviously, 
that was an issue that the GAO was concerned about, and a num- 
ber of the Members were concerned as well. 

And so I would like to comment a little bit on that. First of all, 
as stated by the GAO, you know, we realize the importance of 
these processes. There is no question about that. 

But they are right. We have — we have not been as speedy as we 
would like in implementing those. There are reasons for that. I am 
going to cover some that we are well on the way on. 

But one of the reasons that has delayed us to some degree is 
this, we created the organization. We moved 6,000-plus people in 
all of that. We have a new appropriation. You know, we have 
things in place now to help make this happen. 

But what we have also inherited are the problems that were out 
there. And there are a number of them. And those have moved 
right up in priority. 

A good example of that is asset management. You know, the 
Oversight Committee had a hearing on that a few weeks ago. That 
is a real problem. We have had to put a lot of energy on that. 

And so my leaders, and I will get to who they are in just a 
minute, are putting a lot of heat on them to fix a number of prob- 
lems that we have uncovered, because what the organization has 
done, in addition to a number of things, it has made more clear, 
you know, what is going on within the VA with respect to informa- 
tion and technolo^. 

It has also provided us better control, you know, over fixing these 
things. And you are right, we are not there yet. We have a lot of 
work to do. And, obviously, the control over the appropriation is 
also very helpful. 

But this issue of visibility has caused us to see a number of prob- 
lems that must be fixed. We have seen, for example, that we have 
the haves and the have-nots. There are some activities within the 
VA that have paid attention to information technology in the past 
and stayed up to date and all of that. And there are others that 
have not. You know, in a decentralized operation, if you are a di- 
rector of a facility, it is up to you, you know, where you spend your 
money and where you apply the emphasis. 

And there is a mixed situation out there right now. And you 
know one of the goals of our organization is to try and standardize 
that. 

And so focusing in on the problems has definitely caused a slow- 
down in the implementation of some of these processes. 

However, with that said, let me address a couple of issues. First 
of all, the one issue that we disagreed with the GAO is establishing 
a group to make this happen. We — I disagreed with that, because 
quite frankly, my military experience, you know, we have — we have 
a number of Deputy Assistant Secretaries. I have five of them in 
fact that are responsible for certain areas. 

And we want those individuals to implement these processes, for 
example, my Deputy Assistant Secretary for Information Protection 
and Risk Management, Adair Martinez. There is a process that we 
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must implement called incident response. This is in her area. She 
has got to do that. She is going to implement that, and gain owner- 
ship of it, he responsible for it, and all of that. 

If you look at the — all the way over to enterprise operations and 
infrastructure, you know, where Charlie De Sanno happens to he 
located, there are a number of processes that have to be imple- 
mented there. 

Let me give you a perfect example. They are called SLAs, service 
level agreements. We have had a number of meetings so far in try- 
ing to hone in on what is the service level that we agreed to, you 
know, with the customer? Those have to be adjudicated. You know, 
how long does your computer stay up? The pane screen, you know, 
pane on the screens and all of that. The password timeouts, and 
what have you, all have to be agreed with. Downtime, you know, 
what are we on the hook for with respect to downtime. 

These are service level agreements where discussions have al- 
ready taken place. There are two additional offices though. So by 
and large, my key leadership, the monkey is on their back, you 
know, to implement processes that are in their areas. And we have 
divided that up. Each one of my Deputy Assistant Secretaries 
knows of the 36 processes. Thirty-six processes, they know the ones 
that they are responsible for. 

In addition to that, we actually do have an organization called 
Organization Management. It is the remnants of the team that ac- 
tually formed the reorganization itself. That box is still there. Un- 
fortunately it is empty. The individual left about a week ago. But 
I intend to fill that. I do need someone as my conscience, if you 
will. I don’t necessarily need them down into the weeds, you know, 
doing all of the detail. But I do need someone. So that part of it 
that GAO came up with, I don’t disagree with. 

Now in addition, we have a Quality and Performance Office. The 
individual in charge of that office right now is Martha Orr. She 
handles the monthly performance reviews and what have you. The 
focus for processes, the focus for all 36 processes is out of her office. 

Again, she is not responsible for implementing each one of them. 
But she is responsible for coordinating the activity to keeping our 
eye on how these are going and what have you. 

The Chairman. You may be getting there. But I didn’t hear the 
word “timeline” or, you know, “goal” — a timeline for any of this or 
a goal. And the problem I always have with the word “process” is 
that a process is always ongoing. 

General Howard. Yes, sir. 

The Chairman. What about the results? What are we getting out 
of this process, and when is the timeframe within which we are 
going to do it? 

General Howard. Sir, let me focus in on a couple of them. SLAs, 
service level agreements. In fact, just several days ago the indi- 
vidual in charge of that briefed me on his timeline. 

And, you know, I can’t recall the exact dates. But it is some- 
where in the November, you know, end of November, end of Octo- 
ber, beginning of November timeframe to come to agreement, you 
know, with VHA, with VBA, on what these are and then start im- 
plementing them. 
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And, in fact, some of them are already implemented. Particularly 
in — like for example, in region four. So there are timelines associ- 
ated with some of those. And that one is an example. 

Incident response, sir, we have a process for incident response. 
It is in place. Now what we don’t have is a thick document explain- 
ing all this. But we absolutely have a responsive capability to work 
incidents. 

In fact, Adair Martinez is in charge of that. She actually started 
it herself, organized the teams that meet weekly. She personally 
approves the weekly summary that is sent to Congress. Incidents 
do come in. They come into our NSOC, our network and security 
operations center. It is to the point now where this is routine, a 
routine process. 

The one additional thing that we have to do is make sure we are 
folding in non-security incidents. And we are beginning to do that. 

On security management, handbook 6500. It was signed out 
about a week ago. This is the security program for the VA. And, 
you know, I don’t know if your Committee has had an opportunity 
to look at it yet or even if we have sent you a copy. But we cer- 
tainly will. But this is now in place. You know, sir, it has taken — 
do you know how many years the VA’s been working on this thing? 
How about ten. We have been trying to get this handbook called 
“6500” out the door for a long, long time. We have it. It has rules 
of behavior in it. 

In fact, I have already met with the unions on this rules of be- 
havior issue. These are very important for employees to sign. So 
the security management process is beginning to happen. 

The other one that I would like to mention is the compliance 
management. And, again, we don’t necessarily have one book that 
says compliance management. But in a minute I am going to ask 
Arnaldo Claudio to explain the process he has put in place, because 
it is very robust. It is very effective. And it is making a difference. 
It is in compliance. 

The IT strategy, you know, we have completed a draft of our IT 
strategy. It is within several weeks of being approved. The other 
one I would like to mention is IT management. Some discussion 
took place about the governance structure. There is a governance 
structure in place. 

The GAO report, unfortunately it was written at a time where 
we had not implemented that. We have. Those meetings have 
taken place in developing the FY09 budget in fact. We have had 
a number of meetings with all three of the governance boards that 
we have put in place, to include the IT leadership board, which I 
chair along with the Under Secretaries. 

And so I wanted to just — sir, I wanted to paint a picture that, 
you know, we are really not sleeping. I mean, we are doing work. 
We are not there yet. I agree with you. But there is a lot of activity 
going on. 

And one more thing I would like to say, sir, and that is it goes 
back to the problems that I mentioned. I am trying to maintain 
some balance. You know, I can beat the heck out of these people 
and make them focus on processes solely. Or I can try to balance 
their workload and make them solve these problems. And at the 
same time, put the processes in place. 
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And that is kind of what we have to do. And, unfortunately, it 
has resulted in a bit of a delay on some of these processes. But, 
again, some of them are already in place. 

[The prepared statements of General Howard and Mr. Claudio 
appear on p. 71 and p. 72.] 

The Chairman. Mr. Bilbray had mentioned earlier, and I always 
can’t vouch for his accuracy, but he said it is easy to put biometrics 
on a laptop. Is that in your book there? Is he right? And do we 

General Howard. Sir, we 

The Chairman [continuing]. Have it in a book? 

General Howard. We have looked — we have looked very hard at 
biometrics. And I can tell you that one of the concerns actually 
comes from the medical community, because sometimes these are 
not perfect. You know, they are not as foolproof as you might think. 
You know, it is pretty close, but it is not 100 percent. 

We have looked at biometrics. The — it will not work as smoothly 
as you would like with the encryption application that we have 
placed on our laptops. We have Guardian Edge hard drive 
encryption. If a VA laptop is left out on the parking lot, it is use- 
less. It has got full hard drive encryption on it. It is useless to any- 
body. You can’t get in. You simply can’t get in. 

So that part of it is very robust on the laptop side. We do have 
biometric thumb drives. In fact, I have one in my briefcase. You 
know, we have mandated the use of encrypted thumb drives across 
the VA. And one of them happens to be an encrypted version. I 
mean, a biometric version that can be used. 

So we have — we have employed that to some degree. In the — and 
while I am on this issue of protecting the information or what have 
you, we have had a number of initiatives underway. And have 
worked very hard during this fiscal year to put contracts in place 
for the software as well as the implementation of that software, the 
rollout. I am going to mention a few. 

We have put monitoring software now. And I think at an earlier 
meeting I may have mentioned the importance of that. I know I did 
to Jeff and Art. This Port Monitoring software, the contract was 
put in place about a week ago. We are not rolling that out. 

That means whatever you stick in a port on a VA laptop, we are 
going to know what it is. And we are going to stop the use of it 
if you don’t have a VA approved encrypted thumb drive, for exam- 
ple, you can’t use it on a — in a VA computer. 

Now, obviously, it is going to take time to roll that out. We have 
enough licenses to cover all of the VA in that particular one. An- 
other one is called Rescue, the remove enterprise security compli- 
ance update environment. This one, if you are sitting in your kitch- 
en somewhere, you will not be able to download personally identifi- 
able information. We will stop that. You can see it if you have au- 
thority through a secure tunnel, through a virtual private network 
(VPN) tunnel, you will be able to see the information and do your 
work. But you won’t be able to download it, because we will stop 
it with this particular product. 

We are monitoring the network for Social Security numbers. You 
know, you read the reports that we send up here every week. And 
you can see that unencrypted emails have been a problem, you 
know, sending Social Security numbers in the clear. 
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We are monitoring that now. In fact when we first started moni- 
toring it, there were almost 7,000 incidents of likely Social Security 
numb^ers, you know, trafficking through the network. We put a 
warning sign on the computers. You know, boom, it will come up 
as soon as you try to do that. Give you a warning. 

And since that time, it has gone down. We are now blocking 
those messages. We have gradually moved to the point where if you 
try to send a Social Security number in an email it will be blocked. 
On email encryption, you know, right now in the VA to include 
Blackberries, we have PKI, public key infrastructure. 

It is very good. But it is not as robust as the product that we 
are now implementing. In fact, IBM just won the contract, I be- 
lieve, Charlie, right? 

Mr. De Sanno. That is correct. 

General Howard. For RMS, Rights Management System? 

Mr. De Sanno. Yes. 

General Howard. That is a product that will — you can send an 
email in the clear. But the attachment is encrypted. It gives you 
a much better — much more flexible capability to work encrypted 
email in a variety of ways, a very important one. 

We have software in place now for port-to-port transmission. You 
know, the VistA system when it was developed, did not take secu- 
rity into consideration as much as we would have today. So we now 
have in place a host-to-host secure capability that we have been 
working on as well. And the final one that I would like to mention 
in this whole area of trying to protect information and be more 
standard about that is the Dell Computer contract that we just put 
in place. And you are aware of that, standardized desktops. The Of- 
fice of Management and Budget (0MB) has mandated that 
desktops will be standardized throughout the government agencies. 

This will provide a much better capability. It is a lease contract. 
We will every two or three years refresh the equipment. And we 
will be able to monitor it much better. We will be able to put what- 
ever we want on it. The people who are working the computer will 
have much less control over what they do. 

This will be enormously helpful to us, not only in terms of stand- 
ardizing things, but helping us with this issue of security. It will 
be very helpful. And, in fact, Charlie just this morning showed me 
the sites that we are likely to start rolling this out beginning this 
particular fiscal year. 

And there are other activities. The one I would like to mention 
also has to do with training and educating the people, because as 
we have mentioned in this Committee before, sir, I know the Sec- 
retary has, you know, the real key here no matter all this — all 
these tools that we put in place, the bottom line is are the people 
paying attention? Are they using the tools the right way? Are they 
properly educated? Do they care? 

We have seen improvement in that area. We do have a way to 
go. Education programs are better now. They are in place. We — I 
strongly believe that our directors throughout the VA are serious 
about educating and training their people. 

And that is a very key aspect, not just the IT people; it is every- 
body who deals with, you know, personally identifiable information. 
And quite frankly, that is very extensive throughout the VA as you 
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can certainly appreciate. I don’t know if that is helpful, sir. But 
there is a lot going on. And sometimes you don’t get the complete 
picture. 

The Chairman. I appreciate that. You identified Mr. De Sanno 
as head of region four. 

Mr. De Sanno. Northeast, sir. 

The Chairman. Region — what region four? 

Mr. De Sanno. Sir, the 

The Chairman. I mean, not the Veterans Integrated Services 
Network (VISN) four? 

Mr. De Sanno. No. The regions are numbered from the West 
Coast to the East Coast. So region four is comprised of VISNs one 
through five and VA’s central office. 

General Howard. What Charlie is describing, sir, is the way we 
have organized the information technology 

The Chairman. So we have regions to coordinate the regional co- 
ordinators. 

Mr. De Sanno. Well, yes. We have — well, you know, in an im- 
mense healthcare system like the VA, we segment the business 
into various management structures. So we have a regional direc- 
tor and chief technology officer responsible for the regional activity. 

General Howard. Sir, the reason we have done that refers to 
span and control. When we took over all 6,000 people, the way the 
VISNs are, you know, they are throughout the country and they 
are not regionalized. That is much too big a span and control in 
my opinion. 

So we put down four regions. There are regional directors in 
charge of each one. CIOs at a facility level report to that regional 
director. I meet with them quite often. The four regional directors 
report to my Deputy Assistant Secretary for Operations. 

That is how it works. And, in fact, it is a pretty good control 
structure. Communication is very good in that structure. The com- 
munication problem we see is with our customers. You know, that 
is the part we need to work on better. 

But within the IT community, we have visibility about what is 
going on. And I broke the region — the country into those regions 
simply as a matter of better span and control. 

The Chairman. Okay. Let’s look at the three measurements that 
were mentioned in the earlier testimony. 

We had 17 recommendations by the IG. We have 36 management 
processes that you were working on. We had 25 key positions of 
which, again, the report that we heard, 15 out of those are vacant. 

Only two of the management processes have been fulfilled in one 
of the seventeen recommendations. So what is your timeline for 
completing that process? 

General Howard. Sir, the 

The Chairman. When are you going to fill these positions? When 
are you 

General Howard. Sir, quite honestly, I am not sure what posi- 
tions they are referring to. I do know some that are empty. But I 
don’t have the list in front of me, all 15. The — one of the issues 
there has to do with the human resources (HR) process itself. 

The Chairman. Yeah, that bothers me. Is the GAO still here? Is 
Ms. Melvin still here? The report states there are — that there are 
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25 recognized — that you identified 25 key positions for carrying out 
these processes, and about 15 of them were vacant. And you are 
not even sure which ones she is talking about. 

General Howard. Sir 

The Chairman. So there is a problem there. I mean 

General Howard. Sir, I don’t. I can’t get to the number 25. What 
I would like to do, if it is okay with you, sir, is answer for the 
record. 

You know, we can get from GAO exactly those positions and tell 
you 

The Chairman. Okay. But as I understood it, and my under- 
standing may have been wrong, but as I read the report, you iden- 
tified these 25 positions. The GAO didn’t make them up. They 
came from you. And so I assume you are aware of your organiza- 
tion and how we got to that figure. 

General Howard. Sir, as I sit here today, it is not 25. 

The Chairman. What is it? 

General Howard. Sir, I would like to answer that for the record, 
sir. 

[The information was provided from General Howard is in the re- 
sponse to Question 1 in the post-hearing questions for the record, 
which appears on p. 82.] 

The Chairman. Right. 

General Howard. Because I want to match it exactly to what ap- 
peared in the GAO report, if that is okay with you. 

The Chairman. Okay. Sir, I asked about a timeline on 

General Howard. And you mentioned — you mentioned what dif- 
ficulties we are having with respect to hiring. Part of it is just the 
HR process itself. This is very time consuming. 

An earlier Member mentioned, you know, the ease with which 
IBM or Microsoft could deal with this. And he is exactly right. We 
are not a private company. I came from a private sector. And we 
can hire and fire at lightning speed in comparison to the way we 
have to work in the government, particularly for senior positions. 

For example, one position that we have been struggling with is 
a very, very important one. It is cyber security. We have been 
through iterations. Three lists of people in the last — the last list we 
had actually selected someone. And they declined at the last 
minute to come in. 

We now have the latest list. And we are within weeks of making 
a selection. We got a much — we went out further, expanded our 
search, and we have a much better list. So you asked about why 
are we so slow, that is one of the reasons. It simply takes time to 
hire people in the U.S. Government. 

Sir, the timeline for filling positions, again, I would like to look 
at the detail there and respond for the record, because I need to 
be accurate in what I tell you. Because I need to see where we are 
on the hiring of some of these. 

[The information on timelines for filling positions was provided 
from General Howard is in the response to Question 1 in the post- 
hearing questions for the record, which appears on p. 82.] 

General Howard. I mentioned cyber security. We were pretty 
close on that. The timeline on that one, for example, is a couple of 
weeks. You know, maybe 4 weeks at the max. We will have a 
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name. And then it has got to work — it has got to work through the 
process, because this is a senior position. And it has got to work 
through, you know, our senior leadership and Office of Manage- 
ment and Budget and the Office of Personnel Management (0PM). 

The Chairman. Well, how about these 36 management proc- 
esses? The 

General Howard. Sir, I am committed to have implemented 
these by the summer of 2008. You know, that is the — July of 2008 
is when we — is when we complete our reorganization. And that is 
what I am committed to implementing. 

A number of them have already been implemented. We just need 
to capture in written form what we are actually doing, the incident 
response one is a good example. But that is what I am on the hook 
for. 

[The additional information was provided from General Howard 
is in the response to Question 2 in the post-hearing questions for 
the record, which appears on p. 85.] 

The Chairman. Okay. Just for the record, this is from the GAO 
testimony on page 15: “As part of the new organizational structure 
the Department identified 25 offices whose leaders will report to 
the five deputy assistant secretaries, and are responsible for car- 
rying out the new management processes and daily operations. 
However, as of early September, seven of the leadership positions 
for these 25 offices were vacant, and four were filled in an acting 
capacity.” 

So I assume we know what positions we are talking about. 

General Howard. Yes, sir. And some of them, as I said, was an 
acting capacity. And that is why I wouldn’t consider those as being 
unfilled. 

For example, my position for Enterprise Strategy Policy Plans 
and Programs is filled right now in a temporary way by Scott 
Craig. He is a very strong person. He has been my enterprise ar- 
chitecture guy for years in the VA. So it isn’t like the position is 
empty. I do have — I do have someone in there. 

The Chairman. You just don’t do the same thing as an acting as 
compared to a permanent employee. We had this crisis situation 
now 16 months ago. And, I mean, if I were the Secretary, if I were 
you, I would have been calling us up and saying, we’ve done this 
or we’ve done that. It has been only 5 months since this loss. And 
we have all the computers encrypted; it is now 8 months and we 
have this reorganization. It is now 10 months and so on. 

We don’t hear from you until we call you. It is as if you say, well, 
no way around it, I guess we have to tell these guys now how many 
positions we filled. And everything just goes on as if it is a normal 
situation. That’s what it looks like to me. 

There is not a sense of urgency that we had last year. And the 
fear that was so rampant throughout the veterans’ community that 
their personal data may have been stolen or their identity may 
have been compromised was palpable. We simply must have a fast 
response on this stuff. 

If there are things that are getting in the way of doing that, just 
tell us and we will try to make it easier. We are working together 
on this; it is not just grilling you every 3 months about what is 
happening. We want to help you accomplish this. 



30 


Mr. Bilbray. 

Mr. Bilbray. Thank you, Mr. Chairman. Mr. Howard, I was sit- 
ting here just — and I made a flippant remark to the Chairman 
about the days when we were in local government. But I just real- 
ized there was a reason why. 

When we were looking at IT and upgrading systems, we finally 
abandoned doing it in house. And started putting it out for bids for 
private companies to come in and competitively bid, because there 
was a degree of urgency then. 

And I guess the Chairman’s concern is the fact that, yeah, these 
things go on and nobody is accountable. Also no one is fired. Except 
maybe you want to get rid of the guy at the top. But we all know 
mid-management is where these things are really done. 

I would just like to follow up, and I don’t mean to ping on this 
thing, but you made a comment about the fact that medical — there 
were people in the medical field who were concerned about the bio- 
metric confirmation for access. Why would they be concerned about 
biometric confirmation for access? 

Except maybe the fact is do they understand what we are talking 
about? It is access to the — into the computer, not necessarily access 
into the records? 

General Howard. Sir, it is reliability issue. You know, in some 
cases it doesn’t work right away. You may have to work your 
thumb a few more times. I mean, it is not as rapid. And in the 
medical community that is a concern. 

Mr. Bilbray. And the laptop — the laptop though, that is not 
where they are using it is it? 

General Howard. Sir, I think you may be referring to the laptops 
associated with medical devices that are not encrypted. This is a 
problem for us. And the issue is this, a lot of your medical equip- 
ment these days does have integral to it a laptop or at least some 
kind of software. And these devices have to be approved through 
the Food Drug Administration. 

You have to be very careful about what you put on that machine. 
In fact, you can’t put some things on. 

Mr. Bilbray. Yeah. I understand that. Let me stop you and back 
up a little bit. We just made a huge leap from the medical — basi- 
cally the veterans’ records, not — but the veterans’ records on 
laptops that are being carried, being taken home, are being carried 
on airplanes, are being stolen. 

That is a huge leap to go from the equipment at a medical facil- 
ity and the access into that system. I just go back to the fact that 
we have so many of these laptops out there. We don’t even know 
how many we have now, because you got 

General Howard. There are 18,000 

Mr. Bilbray. Eighteen thousand 

General Howard [continuing]. VA laptops. 

Mr. Bilbray [continuing]. VA. How many private laptops that 
have VA access? 

General Howard. Sir, I don’t know the answer to that. 

Mr. Bilbray. Yeah. And I think we agreed that needs 

General Howard. It is vulnerable. Yes, sir. However, I will say 
this, there is a directive. In fact, I believe it is 06-5 or something. 
I can’t remember the number. Where — this is the waiver issue. 
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That in order for the physicians to continue to do their work, we 
did put a waiver in place with the proviso, with the directive, that 
they have to protect their laptop in the same manner that the VA 
has. 

In other words, we have Guardian Edge full drive — full hard 
drive encryption on VA laptops. If you are a physician in the VA 
using your own personal laptop, you have to have equivalent hard 
drive encryption on your laptop. That is a mandate. 

Let me say one more thing, sir, one of the technical items that 
I mentioned earlier will be helpful to us to prevent you from 
downloading anything on your laptop. And that is being put in 
place right now. You know, that was a very important contract that 
we have been working on for months. We now have it. 

We will have help from the private sector. In fact, we have help 
from the private sector at all of these areas. But that will not 
only — not only protect the information. You won’t be able to put it 
on your laptop, because we will not allow it. And that will be very 
helpful to us. 

Mr. Bilbray. Okay. Mr. Howard, you know, the Chairman was 
questioning why — you know, about this issue of the biometrics. And 
the way I ran into it, because I have a district with a lot of high- 
tech biotech people that want privacy for their information, need 
security. And they use this as a matter of fact. 

And all my point was is that the security of the information of 
a company working on a new substitute for whole blood or doing 
something on cancer research, that information being secure is no 
more important than the right of a veteran to have their personal 
information secure. 

And that is why I brought up this issue of if the private sector 
can do it, if the laptop computer companies are making this tech- 
nology available as an option, it just seems like common sense that 
if we want to talk about truly securing, then we don’t ever depend 
on one gatekeeper. 

I mean, those of us that build jails know that you always have 
multiple catch systems so that when they are going through one, 
the other one will catch them down the line. 

And I just ask us, again, the technology is out there. The private 
sector has been doing it. It is available on the general market. It 
is not rocket science. And we still are finding arguments to not use 
technology that the private sector has found very effective out 
there. 

And I just ask us to, again, not to be scared of technology, but 
to embrace it. Not to put out the fire, because it may burn some- 
body. But realize that without it, a whole lot of people are going 
to go cold. I just think that we need to tool up on that. 

And I just leave you, again with the argument that maybe the 
problem is, is that we have a system where you can’t go in and fire 
people who are not performing and making sure that you can come 
to us with a more effective report. 

General Howard. Yes, sir. Sir, I don’t agree — disagree with you 
on the technical issue. I really don’t. And as I mentioned, we are 
using biometric in the — particularly in the thumb drive area. 

I would ask — in fact, Charlie De Sanno, in addition to directing 
region four, he is my systems engineer. All this technical stuff that 
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we are testing and rolling out and all that, a lot of that has come 
out of region four. And I would just like — if it would be okay, sir, 
for Charlie to just elaborate a bit on that. 

In fact, right behind him is Jim Breeling. Jim is also up in region 
four. He is actually a physician. And between the two of them, they 
can elaborate quite a bit on some good things that are going on. 

Go ahead, Charlie. 

Mr. De Sanno. Thank you, Mr. Howard. Excuse me. I think prior 
Mr. Howard gave you a good run down as to the products that the 
organization has procured. 

And I think the point certainly needs to be made that with the 
reorganization of IT within the VA, certainly the infrastructure 
that Mr. Howard discusses, the haves and the have-nots, come into 
play significantly in a number of ways. 

So we talk about speed to market. We talk about how quickly the 
VA can react to your requirements, to the veterans’ requirements. 
And all of that is extremely valid point. 

The problem that we have in the organization is that we first 
need to create a foundation to create our house. And it took some 
time to execute, to design that foundation. So when you look at any 
one technology, like biometrics, and you say hey, why isn’t the VA 
using biometrics? 

Well, we have a strategy behind everything we do. What you are 
really talking about is dual factor authentication and securing of 
the personal information that may exist on that hard drive. 

The Personal Identity Verification (PIV) initiative with smart 
cards is going to be rolled out. And our architecture, given the 
mandate to use these smart cards, do work very nicely with our 
encryption. 

Furthermore, with the PC lease and the standard desktop, the 
secure desktop image that we are “architecting” that is in line with 
standards, government-wide standards for security, we don’t store 
any data on these mobile devices. The mobile devices and desktops 
and laptops, those data will be stored in a secure data center that 
is backed up. 

And in addition, Mr. Howard references rescue. And with this 
product, we can ensure that the devices that are attaching to the 
VA network are not only secure but contain no data. 

And if those devices aren’t secure, we put them through a white 
room, a clean room, where we ensure that the Microsoft patches 
are up to date, other virus vulnerabilities are remediated. 

And if we can’t do it, ensuring we give that user a quick response 
time, we segment them. And we put them in a virtual environ- 
ment. 

So I agree as Mr. Howard does overall with the strategy. I want 
you to know that we have thought out this process. And we know 
that protecting veterans’ information is absolutely critical. 

There is a strategy behind what we are doing. And the founda- 
tion that we are putting in will be used to build all information 
technology for now and in the future years. 

General Howard. Sir, this fiscal year is a key year for us. FY — 
you know, you asked about timelines. FY08, in fact the GAO men- 
tioned this plan we have with 400 actions and all that. 
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You know, your guys have copies of that. FY 2008, although 
some of the timelines go beyond — our 2008 really is a key year. It 
really is. 

And we expect to see very dramatic improvements in this whole 
area, because we got the tools in place now to help enforce some 
of this stuff that we did not have before. 

Mr. Bilbray. Do you have the money to pull this off though. I 
worry about the fact that I have seen again and again where we 
have done this. We have the mainframe set up, we get it all lined 
up, and then it doesn’t connect. And we end up like the IRS did 
with a billion dollar system that doesn’t work. 

General Howard. Sir, we do — we do have the money, unless 
somebody takes it away from me, which they haven’t yet. I mean, 
I feel reasonably comfortable. We are okay there. 

The Chairman. Thank you, Mr. Bilbray. We thank you all for 
being here. As you heard, we have another set of votes. We are 
going to recess for 15 minutes. And then we will hear from the next 
panel. 

Please understand our sense of frustration. We want it yester- 
day. None of us underestimates the difficulty. But without goals, 
without timelines, by pointing to the next fiscal year, it is always 
a process and it never gets done. And we want it done. If you need 
more resources to do it, you need to ask us. 

Thank you again for being here. And we will start with panel 3 
in about 15 minutes. 

General Howard. Thank you, sir. 

[Recess.] 

The Chairman. I apologize for having to hold you all morning. 
I appreciate your being here. The third panel is comprised of Dr. 
Paul Tibbits, Deputy Chief Information Officer, Office of Enterprise 
Development, U.S. Department of Affairs. And Doctor Ben 
Davoren, Director of Clinical Informatics. Is that right? Is that a 
new word? You’ll have to define it for me. At the San Francisco VA 
Medical Center. Please, I appreciate you staying through the after- 
noon here. 

STATEMENTS OF PAUL A. TIBBITS, M.D., DEPUTY CHIEF IN- 
FORMATION OFFICER, OFFICE OF ENTERPRISE DEVELOP- 
MENT, OFFICE OF INFORMATION AND TECHNOLOGY, U.S. 

DEPARTMENT OF VETERANS AFFAIRS; AND J. BEN 

DAVOREN, M.D., PH.D., DIRECTOR OF CLINICAL 

INFORMATICS, SAN FRANCISCO VETERANS AFFAIRS MED- 
ICAL CENTER, VETERANS HEALTH ADMINISTRATION, U.S. 

DEPARTMENT OF VETERANS AFFAIRS 

STATEMENT OF PAUL TIBBITS, M.D. 

Dr. Tibbits. Thank you so much for the opportunity to testify in 
the realignment process in the Office of Information and Tech- 
nology (OI&T) and to share with you the progress made in VA as 
a result of the centralization of development activities. 

Joining me on this panel is Dr. Ben Davoren, Director of Clinical 
Informatics in San Francisco and Dr. Jim Briefing. You have just 
heard testimony from Assistant Secretary Howard regarding our 
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realignment progress and the need for more work to transition 
from a decentralized to a centralized organization. 

I would like to share with you our progress establishing an IT 
governance plan, strengthening development processes — develop- 
ment process improvement efforts, and fostering innovation. 

You have heard also General Howard refer to his seven priorities 
or you would have had he used his prepared remarks. But in any 
case, I would like to discuss with you those that directly apply to 
us in development. 

First with respect to establishing a well-led, high-performing IT 
organization, we are pursing improvement of the development of 
workforce throughout the Office of Enterprise Development. 

To improve the VA IT development workforce, we are instituting 
real-time coaching and mentoring by industry experts in best prac- 
tices in systems development to institutionalize these practices in 
the VA. 

Second, standardizing IT infrastructure and IT business proc- 
esses throughout the VA provides a baseline for measuring effec- 
tiveness of our development process. It is the first step to reduce 
time to deliver applications, reduce costs to develop applications, 
implement process performance measures, and increase produc- 
tivity of the development of workforce. And it is certainly very hard 
work. 

We are using independent industry consultants to guide us 
through this self-improvement initiative. 

Third, let me address establishing programs that make VA’s IT 
system more interoperable and compatible. Interoperability begins 
with a common understanding of terminology. 

The IT development organization will be collaborating more 
closely with the Administrations in the use of business modeling to 
perform — I’m sorry, to provide a uniform basis of developing a 
shared understanding of new ways to serve veterans and the infor- 
mation required to do so. 

We are engaging with the administrations and with DoD to 
strengthen and accelerate data standardization activities within 
VA and with DoD. We are exploring ways to focus on high priority 
patient groups, such as traumatic brain injury and post traumatic 
stress disorder, while continuing the hard work of semantic anal- 
ysis, reconciliation, and the consolidation of multiple data feeds be- 
tween VA and DoD. Fourth, we are focused on managing the VA 
IT appropriation to ensure sustainment and modernization of our 
IT infrastructure and more focused application development to 
meet the requirements of our business units. 

We are applying life cycle and total cost of ownership manage- 
ment practices to all development projects, to account for all costs 
of implementation and operations, as a foundation for budget for- 
mulation. 

We are moving toward clear line-of-sight alignment with the VA 
strategic plan and the Performance Accountability Report by re- 
shaping 0MB 300 exhibits in fiscal year 2010, a creation of the 
first multi-year IT budget in VA, and strengthening our relation- 
ship with the requirements processes of the Administrations and 
staff offices. 
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With respect to governance, we have established a participative 
transparent IT governance process at the senior executive level of 
the VA. We have created a set of organizational principles and gov- 
ernance structures and practices that surface business strategy; fa- 
cilitate accurate project cost, benefit, and risk estimation, and pro- 
vided the decision-making framework that focuses attention on the 
most critical projects. We are developing management dashboards 
to implement early warnings of issues with system development. 

The single IT appropriation sets a context for competition among 
new ideas, since some are not affordable. This creates the percep- 
tion at the hospital level that many good ideas are disregarded de- 
spite “local needs,” and that the flexibility available to VISN and 
hospital directors to use healthcare funds for information tech- 
nology is constrained. 

This disregards the rest of the story. Solutions developed locally, 
with a few exceptions, were rarely deployed across all VA medical 
centers, resulting in some centers not getting the advantage of 
these IT capabilities. 

Furthermore, many needs were thought of as local, when in fact 
they were enterprise-wide requirements. Under the single IT au- 
thority and single appropriation, IT appropriation, we operate in an 
environment of financial transparency. Funds dedicated to 
sustainment, extending legacy systems to meet urgent needs of re- 
turning warriors, and to modernize our computing environment are 
now visible to senior VA executives. 

Unmanaged local innovation makes the implementation of enter- 
prise solutions quite difficult. Many IT products are operating in 
various VA medical centers, with no support mechanism to pro- 
liferate the more successful of them to all other medical centers. 

In close collaboration with VHA, we are moving to create a proc- 
ess to identify new ideas at the local level, facilitate collaboration 
among field developers and VA medical center healthcare profes- 
sionals, and to develop new software products in a non-production 
environment in an unconstrained manner. 

In order to enter the live production environment and assure 
deployability across VA, certain technical assessments, business 
values, security, and patient safety assessments will be made and 
any remediation necessary applied. 

The migration from the VistA legacy system to the HealtheVet 
platform entails complex development. This form of innovation 
must be centrally managed. It is too large for local initiatives alone 
to accomplish. 

In addition, some forms of new IT support require an analysis of 
end-to-end processes to serve veterans, such as transition from 
DoD to VA, again not necessarily — not easily accomplished at the 
local level given complex data standardization and security issues 
that are involved. We are attempting to strike the right balance. 

We have had some problems. But we have also gained valuable 
visibility over unknown IT — heretofore unknown IT activities, a 
definite improvement. 

We also now know more about IT funding details across the VA 
and have a greater ability to protect sensitive veterans’ informa- 
tion. 
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In closing, let me say that we want your ideas. I want to assure 
you, Mr. Chairman, that a successful IT realignment activity is a 
key goal within the VA. 

We have accomplished many things this past year but much 
more remains to be done. I appreciate having this opportunity to 
discuss this with you and will gladly respond to your questions. 

[The prepared statement of Dr. Tibbits appears on p. 73.] 

STATEMENT OF J. BEN DAVOREN, M.D., PH.D. 

Dr. Davoren. Medical informatics or clinical informatics is the 
science of information management, including all of terminology as 
well as human computer interfaces and so forth. So it is actually 
quite broad. It is not yet a medical specialty but it is being consid- 
ered for one as we speak. 

Good afternoon, Mr. Chairman, and Members of the Committee. 
I do want to thank you for this opportunity to provide my personal 
perspective of the OIT reorganization that began in 2005. But the 
views that I present today are my own and do not necessarily rep- 
resent the views of the VHA. 

By way of training, I am an oncologist. But I have been a mem- 
ber of the clinical work group that has helped guide the computer- 
ized patient record system development in VHA since 1999. 

In response to the Secretaries proposal for IT realignment, many 
employees at medical centers expressed concerns about the details 
of the plan. And in particular, they felt that the regionalization of 
IT resources would create new points of failure that could not be 
controlled by the sites experiencing the impact of those. And that 
system redundancy required to prevent this was never listed as a 
prerequisite to centralization of critical patient care IT resources. 

From my point of view, it was clear to me that the focus of reor- 
ganization was on technical relationships and not on how the mis- 
sions of VHA could be communicated to the new OIT structure. 
And I communicated this to my facility director and VISN director 
at that time. 

The IT reorganization has had a direct impact on VHA’s four 
principal missions: patient care, education, research, and sup- 
porting the Department of Defense. 

With respect to the primary patient care mission, the good news 
has been that new policies and procedures, in particular regarding 
encryption of sensitive information, have been very well-publicized 
and have heightened the awareness of all care providers as to the 
critical nature of the information that they, that we, use everyday. 

The bad news is that centralization of physical IT resources to 
the regional data processing centers has directly led to more sys- 
tem downtime for individual medical centers than they have ever 
had before, resulting in hundreds of simultaneous threats to the 
safety of our veteran patients. 

Disagreements about whether new clinical application requests 
are IT or not-IT has delayed implementations. With respect to the 
education mission, the good news, again, is that awareness has 
been heightened for staff and students about the information that 
we use and the need to protect it in all settings. 

However, rules on encryption of all portable devices, such as 
thumb drives, rather than just on encrypting sensitive information. 
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have made it cumbersome to go about common work, such as giv- 
ing academic talks where no scientific information is present. And 
collaboration by video conferencing has been curtailed. 

With respect to the research mission, plan standardization of 
VHA databases may well and should create significant and very 
welcomed research opportunities. Though at this time, I don’t have 
any specific progress to be able to report. 

In terms of our role in supporting the Department of Defense, I 
believe that initiatives to enhance electronic data-sharing between 
VHA and DoD have proceeded appropriately from the field perspec- 
tive. 

But in my opinion, there has been a lack of transparent commu- 
nication between VHA and the reorganizing OIT structure. At 
present, economies of scale that were a cornerstone of the realign- 
ment proposal have not been communicated to the facility level 
where the work of VHA occurs. 

The focus on security and data integrity has led to a number of 
new requirements with impacts that generate significant concern 
without a clear pathway to resolution. In my view, there also re- 
mains a tremendous uncertainty about how to work with our long- 
standing IT colleagues to address local or regional clinical care, re- 
search, or educational needs. 

These arise on an almost daily basis as the result of new man- 
dates from accrediting bodies, VA performance measures inter- 
nally, or Congressional action. 

A word about the down time on August 31st. The new region one 
of OIT-supported facilities experienced the most significant techno- 
logical threat to patient safety VA ever had. A 9-hour downtime 
during standard business hours that crippled the clinical and other 
information systems of 17 different VHA medical facilities. 

During the downtime, it became clear that many assumptions 
about the Regional Data Processing Center model were erroneous. 

Specifically, rather than creating a redundancy to protect facili- 
ties from system problems, a new single point of failure caused a 
problem that could never have been replicated without this Re- 
gional Data Processing Center model having been created. 

In my view, the OIT realignment process begun in 2005 for the 
right reasons has been focused on technical IT issues and the re- 
porting structure of its new 6,000-strong employee force and not on 
linking IT strategic planning with organizational strategic plan- 
ning. 

Mr. Chairman this concludes my statement. And I will be 
pleased to answer any questions you may have. 

[The prepared statement of Dr. Davoren appears on p. 76.] 

The Chairman. I didn’t notice a lot of publicity about this down- 
time incident. 

Dr. Davoren. On August 31st? 

The Chairman. I don’t remember it. The press didn’t cover this, 
did they? Why do you think that was? 

Dr. Davoren. It consumed our day, but I am unclear on what 
the press did or did not cover. 

The Chairman. I mean you call it the most significant techno- 
logical threat to patient safety the VA has ever had. You would 
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think somebody would have made a — I think we would have had 
a Congressional hearing on it actually. 

So you are saying that the path that the VA took in terms of two 
different streams was very useful in that situation. Is that what 
you were saying? Phrase it for a layman so I can understand it. 

Dr. Davoren. I am not sure I understand the question com- 
pletely. 

The Chairman. You said that we caused — I assume because of 
the centralized nature, a failure led to a very 

Dr. Davoren. That’s right. 

The Chairman [continuing]. Deep problem. And then you said — 
I see. I misunderstood what you said. “A problem that could never 
have been replicated.” 

Dr. Davoren. Right. 

The Chairman. I don’t know what that means. 

Dr. Davoren. In other words, before the regionalization of IT re- 
sources with individual — the actual systems that contain the pa- 
tient information in a distributed fashion at the medical centers, it 
would have been impossible to have 17 medical centers simulta- 
neously have their clinical information systems unavailable. But 
that was the case. 

The Chairman. Okay. So you are saying the centralization has 
ended up with this downside. 

Dr. Davoren. The — yeah. Centralization of the physical IT re- 
sources. 

The Chairman. Okay. That was the theme of your statement 
that the local kinds of needs may be either overlooked or washed 
out in terms of this. 

Dr. Davoren. That there isn’t a clear pathway of communication. 
And 

The Chairman. How would you remedy that? 

Dr. Davoren. Well, I think — I think there are a few key areas. 
From the facility level, the changes that have occurred in terms of 
our collaboration with our IT colleagues, it is not clear exactly what 
we can and can’t do when we approach problem solving at the med- 
ical center. 

We have a number of — we have a number of internal and exter- 
nal bodies that tell us that things need to change as medical care 
evolves. And many of the processes that we have involve an IT 
component. 

So if we have a new discharge process for example, because we 
know our hospitals are very, very full, there may be some human 
resources as a project — a process action team, as we call them, 
typically looks at the causes of a problem. And looks for areas 
where we might be able to solve them. 

So a very, very full hospital trying to improve the discharge proc- 
ess is a key item. We may find that we actually need to hire a dis- 
charge planning nurse or a pharmacist. We may need to set aside 
some physical space. And we may need to make some changes or 
we would like to make some changes to how the computer system 
works, generates output for some of these people at the time of dis- 
charge. 

In the past, that was — we had a team. They all worked for the 
medical center. And so this whole process would be put together. 
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Now that team, on paper for sure, no longer exists. So the question 
is at this point, for our region in particular, if we can’t make local 
changes to our internal VistA system, it is not clear what the com- 
munication method is back to the resources that now live in OIT 
to accomplish that. 

The Chairman. What did you call — you had some coordinator of 
beds. You had a title to help 

Dr. Davoren. For the discharge planning? 

The Chairman. Yes. What was the title? 

Dr. Davoren. So a number of VAs have looked at this process 
because it is so critical. So there are discharge planners 

The Chairman. Discharge planners. 

Dr. Davoren [continuing]. Who are frequently 

The Chairman. You should call them “ombudsmen.” 

Dr. Davoren. I will make a note of this. 

The Chairman. The only guy who laughed was the guy I pay. I 
am told by the counsel that you have used the chemotherapy soft- 
ware as a good example to highlight some of this. Tell us about 
this. 

Dr. Davoren. Right. As a highlight of where the communications 
process is very unclear, it — there is a product that happens to be 
called IntelliDose. I am an oncologist, so I do write for chemo- 
therapy. 

And this is a particular software that integrates with the VistA 
system, with the core VA system, for writing chemotherapy that 
the existing VistA system cannot do. And that immediately 
planned VistA systems will not do. 

So there is a system that has been piloted at the San Diego VA 
and integrated with VistA over the last couple of years to really 
work the bugs out in a real-life setting. 

And the — in the VHA structure, the Impaired Decision Making 
Capacity (IDMC) that was referred to earlier this morning, would — 
did make a decision about a year ago that it was ready for prime 
time if you will. The software was mature enough in its integration 
that it could be used at other medical centers besides the pilot site. 

We wrote a proposal after reviewing the software for my net- 
work, VISN 21. We got the clinical buy in. We saw a number of 
demonstrations to be sure this is what we wanted to do. And I 
wrote a proposal for the project. 

It was, by my own interpretation of the rules of what is or is not 
IT, really more of a medical device and not an IT expenditure. But 
that was not agreed with by the VISN CIO necessarily. And that 
as we wrote the proposal and were able to get funding, then sud- 
denly a few weeks ago it was determined that this really ought to 
go back to the IDMC for not just their review and approval, but 
for review and approval for national funding. 

And the Western States Network Consortium that was — in re- 
gion one, so the West Coast networks decided that perhaps this 
might be one of the pilot projects they would like to do at a re- 
gional level. So the particular proposal that I put together was on 
hold. 

So what this has the effect of saying is that we had a community 
sense of what needed to be done. We had a pilot project that 
proved — that proof of concept. We were ready to go forward for 
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FY08. But now there is a new layer of review that is not entirely 
clear to me what exactly it is that makes this looks like it may not 
he — until 2009 or 2010. 

So it is going back to the IDMC body that originally says it was 
okay to get with a new task for the IDMC. I recognize that is very 
circular. But I am just trying to convey the sense that from the 
field perspective, the communication about what really needs to be 
done to implement something that our patients need now is very, 
very unclear. 

The Chairman. How long have you been with the VA? 

Dr. Davoren. I have been with the VA for 12 years. 

The Chairman. Do you feel secure in your job? I am about to do 
something that has not been done. So I want to make sure I get 
your 

Dr. Davoren. I have told people I will find out whether or not 
I am a political appointee at this very hearing. So — but generally 
yes I do. 

The Chairman. I should do this. General Howard, can you just 
come back to the table for a second. I am not going to have an ar- 
gument between you. But you have heard us yelling about cen- 
tralization, right? And there have been qualms. 

We went from a very decentralized system, which had problems. 
Now we are moving to a very centralized system. And we hear 
there are problems with this approach. This is not the first person 
to raise these concerns. How do we find the balance there? 

General Howard. Yes, sir. Let me 

The Chairman. And without, you know, reacting to every 
scream, we do one thing, and then we have gone too far, and now 
we have a scream about going the other way. And, you know, it is 
not a helpful process. 

General Howard. No, sir. But I would — I will say that there is 
a process in VHA for elevating requirements to the very senior 
level. I mean, there is. And, in fact, I have actually participated in 
meetings of the Committee that does that. 

I can’t recall the individual who chairs that Committee right 
now. But it used to be Dr. Bob Lynch. Lynch has since left the VA. 
But there is a new individual now. I can’t recall his name. 

But that body is in place. They had functions to prioritize, you 
know, whether an issue is a class three requirement that needs to 
be put in place or any requirement from within VHA. That is the 
Committee that decides how those items are prioritized. 

However with that said, there still exists at the facility level the 
capability to try out ideas and that sort of thing. And in fact, I will 
ask Paul Tibbits to describe the process. He mentioned it in his tes- 
timony that we in VHA are putting in place to make sure innova- 
tion does occur and continues to occur at the facility level. 

But at some point in time, you have to begin to gather that up 
and expand it throughout the VA or else 

The Chairman. No. I understand that. But as I heard Dr. 
Davoren say — I mean, we have added, for example years, to a po- 
tentially very helpful therapy to try to test it or use it. 

And so are we adding this level of bureaucracy that will take — 
I mean, clearly you want something to spread good things quickly. 
But 
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General Howard. Mm-hmm. 

The Chairman [continuing]. You want to also balance that with- 
out having good things coming to the surface without a bureauc- 
racy interfering. 

General Howard. Yes, sir. There — from an OIT standpoint, there 
is no — there is no OIT layer between Dr. Davoren and Mike 
Cuspin. We are not in that. We are in our own layer. You know, 
we have our own reporting process. But any requirement within 
VHA does not have to go through OIT. It can go all the way up 
to the top. 

Now at some point in time, obviously we are engaged in the ex- 
amination of that issue to first of all see if it is possible, see if there 
is funding available, and what have you. 

The visibility issues, though, is key. You mentioned, you know, 
the decentralized way of doing business in the past. If I was a hos- 
pital director, in the past and before the IT appropriation, I did 
what I needed to do, you know, out of the medical money available. 
If I needed to spend it on IT I did. I mean, it was actually, if you 
were a hospital director, was not a bad environment. It was pretty 
good. 

The trouble is it was not very efficient. And the Congress actu- 
ally got pretty upset with that kind of operation. And that is what 
we are trying to standardize. We are not — we are trying to stand- 
ardize this. But at the same time, not kill innovation. We definitely 
do not want to do that. 

We want to put a better process in place to control it a little bit 
more so that the good ideas do bubble to the top and get used 
throughout the VA. And the ones that maybe are not very good, are 
finally just cut off. I mean, that is kind of a research environment 
that has to be 

The Chairman. Well, but another way to ask about that balance, 
I mean, again, it was mentioned, this region one downtime 

General Howard. Mm-hmm. 

The Chairman [continuing]. That we lost the whole region. I 
mean, is that an example of over-centralization or not? 

General Howard. It is to prevent 

The Chairman. How are we going to prevent that from occurring 
again? 

General Howard. Sir, actually the — it is the regional data proc- 
essing program. And it actually existed before the IT central. It 
was the VHA initiative that goes back a number of years. 

And the idea, the central idea, was to better protect the informa- 
tion, you know, in well-protected data centers, tier four data cen- 
ters. 

Obviously at this point in time, we are responsible for that pro- 
gram. You know, it came over to us. So everything that happened 
at Sacramento is on our watch. You know, we were responsible for 
that. 

What we are discovering — and just to comment on that, clearly, 
you know, we put a team in to examine what happened. The fact 
is the tiger team is still at work to examine the details of all that. 
I have an independent review that is about to get underway, be- 
cause there is more to this than meets the eye. 
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We are very concerned about in the design of the program, for 
whatever reason, the proper backup at facility level was not ade- 
quately considered. We can see that now. 

In other words, some facilities had a better capability to read, not 
write, but read information on their backup system than other sites 
did. You know, why was that dichotomy there? 

And maybe we skimped from a resource standpoint. But we have 
an effort underway now to examine not just Sacramento, but the 
whole program to see exactly what we are doing and build in a 
more robust backup capability at the facility level. We have that 
underway and include the other data centers as well, you know, 
the corporate data centers. 

So we are stepping back to take a hard look at this program to 
see exactly what we are doing. Some aspects of it are good. The 
idea of protecting the information is very good. 

But you can’t permit — ^you know, permit a condition that allows 
a hospital to go down for 8 hours. That is ridiculous. We cannot 
allow that to happen. We understand that. And we are going to 
take steps to do it. It may involve more funding. And we just don’t 
know that at this time. 

The Chairman. Any more comments on this issue. Dr. Davoren. 

Dr. Davoren. On the down time? 

The Chairman. Or on any of the issues we just raised. 

Dr. Davoren. Right. I think, you know, ultimately the — if the 
end user needs, my needs and those of the people that I work with 
to directly care for the veteran in front of them, are the driver for 
processes that happen to include IT as a part of them. That the 
structure needs to be in place and more transparent to those of us 
who are in the field for how we can — how we can relay our innova- 
tive ideas as well as our concerns about day-to-day operations 
through the whole structure, through both our own VHA structure 
as well as the communication points to OIT. And from the field 
from the farthest point on the West Coast represented here that 
that is not in place. 

The Chairman. Okay. I hope we keep that in mind as we go 
through this process. And we should bring in more people from the 
field to give us their sense of what is going on. 

So thank you for your candid comments. 

I just — Dr. Tibbits, if I just — this thing about DoD and VA just 
flabbergasts me. You know, in concept, interoperability is easy. But 
we have been talking about it for probably a couple of decades. 
Why is it so difficult? 

I mean, could a General Howard or a Bill Gates come in and just 
say do it? What is so difficult about just ordering these two systems 
to talk to one another? I see some people shaking their heads that 
it couldn’t happen that way. But why is that so — what am I miss- 
ing here as a layman? 

Dr. Tibbits. Thank you for the question. It is an excellent ques- 
tion. And there are several ways to answer the question. And let 
me step through them quickly. And then allow more time for dis- 
cussion if you wish. 

At the end of the day, the reason it is not so simple to just say 
go do it is the vocabulary problem. The vocabulary problem is an 
intense problem. If you can think of “Roget’s Thesaurus” of the De- 
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partment of Defense. It has got its — it would have its own the- 
saurus. If you think of “Roget’s Thesaurus” of the VA, it would 
have its own thesaurus. 

And without putting those two things together, it is extremely 
difficult to get interoperability to happen in the way many people 
want it. So if you back down from that and start saying, all right, 
are there simplifying constructs that we can use? So without get- 
ting our thesaurus 

The Chairman. Can’t you have the “Howard Thesaurus” and 

Dr. Tibbits. The what? 

The Chairman. “Howard Thesaurus.” 

General Howard. You wouldn’t be able to understand it. 

Dr. Tibbits. Well, we could. But what that creates, unfortu- 
nately, is a third thesaurus. And while, yes, if in fact — in fact that 
is a strategy. And if we got all parties to agree to that third one 
and mapped the third one, that would actually be progress. 

But I want to back down from that and say there are simplifying 
constructs. And those simplifying constructs involve not going for 
the full degree of information interoperability. So a computer can 
actually recognize the information. But simply transmit electronic 
information back and forth that the computer can’t read, but a 
human being can. But it is still in the computer. All right? 

So we have done that. We have gone down to a lesser degree of 
information interoperability. And there is a great deal of clinical in- 
formation that is going back and forth and scheduled to be aug- 
mented over the next few months between the two departments. 

And Mr. Bestor and Mr. Wu are very familiar with many of those 
initiatives, VA Health Information Exchange, Federal Health Infor- 
mation Exchange. Lots of information going back and forth there. 

The other piece of it is organizational. And let me just touch on 
that. 

The Chairman. I am sorry, go ahead. 

Dr. Tibbits. Let me just touch on that lightly. Organizational — 
I have personally been involved in looking at the organizational im- 
plications of what you are saying for many years, both when I was 
in DoD I spent a lot of time working on VA DoD collaboration. I 
had 26 years in the Navy Medical Department, 18 of which were 
on medical informatics I might add. 

I spent a lot of time on VA DoD collaboration issues. After that, 
I supported the Presidential Task Force and looked at DoD collabo- 
ration and wrote the chapter actually on seamless transition. 

One of the issues then we focused on, and we still focus on now, 
is there are two cabinet level agencies. And who exactly is it that 
is going to tell two cabinet-level agencies on a practical day-to-day 
basis to collaborate with each other? 

And when we go up the executive branch, what do we find? We 
find 0MB in the White House. We were never convinced that as 
a practical matter of getting two cabinet agencies to collaborate 
with each other, either 0MB or the White House, were really very 
effective management tools in the sense that that actually has to 
be managed. At a policy level, they may be quite effective. But to 
really get that to happen, is very difficult circumstance. 
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So I guess thirdly I would say requirements are important. What 
are we trying to exchange information for? And there is two big 
buckets here that I want to put in front of you. 

One is to better serve veterans. The other is to save money. It 
is very important to look at those two objectives separately and fig- 
ure out which one or both or which is it we are after and in what 
degree of priority. 

If our primary objective is to serve veterans’ needs, a program 
structure would evolve from that and has evolved from that, which 
focuses on the data, the clinical data, what is in the record, how 
the veteran and how the servicemember was treated in exchanging 
that back and forth. 

If one is interested in saving money, then a whole different para- 
digm has to be taken, which looks at software and software devel- 
opment. And are we developing software together, we, VA and 
DoD, that would save money, that would allow us to reuse the soft- 
ware perhaps between both departments. 

But that in and of itself, would not standardize the data so that 
we could have the information and operability necessary to serve 
veterans’ needs. 

So being clear about those objectives between the two depart- 
ments, addressing the issues of how we get two departments from 
an organization perspective to collaborate with each other, and 
then forcing attention and more and more attention on the termi- 
nology issues to get the two departments to speak the same lan- 
guages, are basically the three levels of issues that are relevant to 
your question. 

The Chairman. If we actually solved this thing, you wouldn’t 
have a job anymore. That is the real problem here I think. Just 
kidding, sir. 

Dr. Tibbits. I would be glad to relinquish my job and solve that, 
because I have been after this issue and this job for too long. And 
I can’t tell you how much I appreciate your question. 

No, we are solving it. 

The Chairman. Again, as a layman, I mean, you use “Thesaurus 
I.” What is the plural of thesaurus, a thesauri? Thesauramatics is 
probably a specialty. There is probably a specialty in the study of 
a thesaurus. You had one and two. And you — I suggested a third. 
Why isn’t “Thesaurus I” adopted? 

Dr. Tibbits. Well 

The Chairman. I am told VistA is the best system in the world. 
So why doesn’t the DoD adopt VistA? 

Dr. Tibbits. That doesn’t solve the terminology problem. That is 
why. And let me try to exemplify that for you in terms that per- 
haps all of you — everyone will be familiar with. And let me use 
email as an example. 

I assume many of you in the room today are familiar with Micro- 
soft Exchange and use Microsoft Exchange for email. Outlook, 
Microsoft Outlook. I assume many of you at one time may have 
been familiar or used Lotus Notes. Two very different programs. 
Two very different sets of software. But yet information can be ex- 
changed between the two of them, because if both users speak 
English terminology, if both users use the same standard protocols 
for transmission, TCPIP (Transmission Control Protocol Internet 
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Protocol), a little techno babble, if both of those standards are in 
place, then information interoperability can happen very clearly 
with the software on both ends, sender and receiver being com- 
pletely different. 

If on the other hand, you use Microsoft Outlook, and you attempt 
to send email to a Frenchman who is also using Microsoft Outlook, 
identical code on both ends, identical software, the same computer 
system, if you will, on both end, sender and receiver. You even use 
the same protocol, so the message will get through. 

If you speak only English, and the recipient speaks only French, 
there will be no information interoperability with identical code on 
both ends. 

That is exactly the situation we have now. If you take VistA, and 
the reverse is also true if you take Alta, either way. If you take 
VistA and power shoot it in the Department of Defense today, ei- 
ther it will have to be repopulated, the files and tables, with the 
terminology of the Department of Defense in order for them to be 
able to use it. Or they will have to change their entire terminology 
libraries to be able to use it with our terminology in it, which 
would be a massive change in policy, how they manage people, how 
they manage their budgets, how they do assignments, how they 
send people to theater, how they order band-aids. All would have 
to change to the VA’s terminology model. 

The Chairman. Couldn’t I send my English email through a 
translator? 

Dr. Tibbits. Yes. And that is the terminology mapping. And to 
build those — that is — that is the thesaurus work of putting the two 
thesaurus’ together. And either 

The Chairman. But then the Frenchman would understand me, 
right? 

Dr. Tibbits. That is correct. But that is the hard work. And that 
is why it takes so long. 

The Chairman. That is hard. Okay, it just sounds easy to me. 

Dr. Tibbits. Very hard. Very — those are very large data sets. 
Imagine every drug. That — when we standardized drugs, that is 
just one domain. When we standardize allergies, that is just one 
domain. When we standardize vital signs, that is just one domain. 
And that is what we are doing. 

And by the way, at the end of the day, we may not have nec- 
essarily addressed the data for traumatic brain injury. Why not? 
Because if you were to ask me well what have you done by way 
of standardization for traumatic brain injury, my answer would be, 
well, we have standardized drugs, we have standardized allergies, 
and we have standardized vital signs for them. Okay, Doc, but can 
you send the electro encephalogram back and forth? Well the an- 
swer is no. We didn’t quite get to the wave form domain yet. 

So my answer is both. Continue with the hard work of the the- 
saurus work. Continue with that. Keep that going. While at the 
same time, we superimpose on it a problem-oriented approach. 

Take the big problems first, traumatic brain injury, PTSD, am- 
putation, and look at a combination of both structure and 
unstructured data so that we actually have information inoper- 
ability, some of which is computable, some of which is not comput- 
able. But a physician can still read and develop our data exchange 
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plans that way, so it is a combination of both as a simplifying and 
acceleration technique to address the key problems that are impor- 
tant to veterans today. 

The Chairman. Thank you. That was very helpful. I appreciate 
it. 

Mr. Wu, did you have a question? You may. Please. 

Mr. Wu. Chairman Filner, we appreciate the accommodation for 
counsel to ask several questions. I will defer the questions to Gen- 
eral Howard, since we argue all the time. And we don’t need to do 
that here. 

A little history. I don’t need to ask Dr. Tibbits any questions, be- 
cause he and I argued about the incompatibility or compatibility of 
DoD and VA for the last 10 years. And I was asking the same ques- 
tions you were asking him before. 

But I will ask Dr. Davoren. I now know who I want to come to 
as a hematology oncologist if I become afflicted. And I appreciate 
that. 

The Chairman. It is oncologomatics is what he is 

Mr. Wu. But your testimony concerns us. And I think, Mr. 
Bestor, the staff director on the majority side, and I have had this 
conversation before. He says, “I have pride of authorship.” Since we 
did the Omnibus Act that did the integration consolidation, and 
Mr. Buyer put 6 years into it. 

It is not that I don’t have an appreciation for what you are talk- 
ing about, what you want to do on the software program for chemo- 
therapy protocols and so forth. I would just ask you this, how many 
in the VA system of 152 hospitals that deal with oncology, that 
deal with chemotherapy protocols, whether they are in clinical 
trials, that there aren’t hospitals that are using some software now 
similar to what was demoed successfully in San Diego, not saying 
which is best, and how are they in the queue? 

What if you have five different systems out there doing the same 
thing? Should we have five systems? Should we have one? 

Dr. Davoren. At this point, I can tell you that there aren’t any 
other integrated software systems in the VA specifically for this ap- 
plication. That is for me, that is what makes it such a no-brainer. 

I think the issue for the bake-off, if you will, of competing prod- 
ucts is very important. I think there are many layers to this, how- 
ever. Every — there is a saying that you have heard probably too 
many times in this room that when you have seen one VA, you 
have seen one VA. 

And that software by itself, does — it can enforce a specific clinical 
business process. But typically it is invested in a particular way of 
doing business. 

So, for example, if you look at the discharge process I talked 
about before, there are some places that may address this with 
some changes in physical space. There are places that may address 
this in changes of personnel and responsibilities, hiring nurses, hir- 
ing pharmacists, hiring a number of people. 

And they may also feel that there is an IT component that needs 
to be modified in those. And that doesn’t mean that the IT compo- 
nent that is developed there is actually applicable to the way that 
another VA does business with the same exact problem. 
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That doesn’t mean it doesn’t need to be addressed. But in way 
of answering your question, it is not clear at the — at the point of 
care for the veteran in front of you that it matters whether or not 
the exact tool that you use is the same in San Francisco as it is 
in Puget Sound, as it is in New Orleans. 

Mr. Wu. All right. I can appreciate that. On the down time. 
Chairman Filner, it was very disturbing to see a network of hos- 
pitals down or be without access to clinical information. I think 
that is profound. 

But I would ask you this, and I was relieved when those regional 
process data process centers went into place. Chairman Filner, I 
will tell you that I was detailed to the special investigative Com- 
mittee on Katrina. And that was a good news story for the VA, be- 
cause out of Louisiana State University, out of Tulane, out of Bap- 
tist Hospital, out of Charity, every one of their medical records 
were destroyed when the flood came through. The VA was able to 
download their medical records, which were on servers in the sub- 
basement. 

What is significant about that is that is where the sub-basement 
is located. The front step of the VA hospital is four feet below sea 
level. So I can’t imagine how far down further the sub-basement 
was. 

The point of the matter was they brought them, they downloaded 
the tapes, put them on a laundry truck, if I remember correctly, 
took them to the Superdome, and airlifted them out of there to 
Houston, where they were downloaded. 

Houston could not use the tapes, because the VistA system was 
different. It was tweaked locally. I think it was about 3 to 4 days 
before they could bring it back up, plus they lost all their images, 
their radiographic images, the x-rays. 

And at that time, the question we had on the special Committee 
was — and it was a good news story and a bad news story for the 
VA — what happened? Why wasn’t all the VA data available, be- 
cause what I didn’t realize is that all the data at each hospital, San 
Francisco is yours, and resides in San Francisco. 

If I am in Walla Walla or I am in San Diego and I have a patient 
that came in from San Francisco to San Diego, I have to reach in 
to the server that is at your hospital to get the data on that pa- 
tient. It is not in any central depository where I can go and grab 
that data as a VA practitioner. 

So they made the regional centers, supposedly I thought, as a re- 
dundant backup so that if one hospital goes down, you can retrieve 
that information automatically. 

Now something dramatically, intrinsically went wrong with this 
meltdown. And that is unacceptable. You can’t let that happen 
again. 

But the question I ask of you is did that regionalization and cen- 
tralization happen before General Howard had to inherit that 
issue? So that was there. That is set up. That infrastructure and 
that internal control and security was in place. 

Now what he had to do was mitigate that. If he has inherited 
that mess and if there is a problem with it, he is going to have to 
fix it. And we are going to have to give him the money. These 
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members are going to have to vote on that. And give him that kind 
of money to make sure that never happens again. 

But the question I have for you is, before centralization, how 
much down time did you have? Every hospital I know has had 
their systems crash. Our system in our Committee has crashed for 
a couple of days at a time where we couldn’t retrieve anything. 

So when you say that you have more downtime since centraliza- 
tion, and these regional data processing systems were in before 
centralization, how do you then address that the centralization is 
the cause of that downtime? 

Dr. Davoren. I am not sure that centralization in terms of OIT 
reorganization is the cause of that. Centralization of the resources 
did create a new point of failure. 

And the local facility understanding was, and we have been told 
this in fact, and there is a memorandum from December of 2006 
that I don’t have with me, but I can retrieve, that it would be es- 
sentially a seamless transition from the Sacramento Regional Data 
Processing Center for us to the Denver Regional Data Processing 
Center. 

So what I would say is that what you have said is exactly true. 
But the control on August 31st of moving the plan that we all un- 
derstood at the field level was that when there was a big catas- 
trophe such as what happened, we would be moved over to the 
Denver backup. That did not happen. And we did have the longest 
down — this is the longest unplanned downtime that we have ever 
had in San Francisco since we have had an electronic medical 
record. 

We have had two planned down times during major system up- 
grades, well coordinated, incredibly well set up in advance on 
weekends that were 8 hours in duration. But this was 9 hours for 
us unplanned. The longest that we have ever had. 

Mr. Wu. Are you a researcher also? 

Dr. Davoren. Somewhat. I mostly do clinical work and 
informatics. 

Mr. Wu. Are you familiar with the breach at Birmingham in re- 
search? 

Dr. Davoren. Yes. 

Mr. Wu. Do you have any idea what that is going to cost the VA 
to mitigate? 

Dr. Davoren. No. 

Mr. Wu. What about $26 million? Do you think there should be 
some personal responsibility of whoever does that? 

Dr. Davoren. I think that the — one of the good news points that 
I said before is that the mentality has been a major — a major em- 
phasis of what has gone on with the reorganization in terms of the 
security initiatives to get people to really pay attention to the level 
of detail of knowledge that they have about everything that is at 
our fingertips. 

The same quality that makes sensitive information so sensitive 
is what makes it necessary for us to know it in an instant. 

Mr. Wu. I appreciate your testimony about, what doesn’t need to 
be encrypted on thumb drives, what is in meetings and presen- 
tations. But how do the IT security people know what is on those 
unencrypted thumb drives? 
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This is the security event report that comes out every week to 
Congress, to this Committee, to Chairman Filner and Mr. Buyer. 
We get them. Not all of them are great. Some are, you know, inci- 
dental. Some are — I don’t even know why they report them. But 
they report everything. 

For your testimony, what should and shouldn’t be encrypted? 
Who determines that? And is that on a personal recognizance of 
the physician or the practitioner or the VA employee? How do you 
then know what is on there? What isn’t on there? 

We have a report of a cardiologist losing his thumb drive in the 
Midwest, with 26,000 names on it. What should happen, do you 
think, to that individual after they certified that they would not do 
that? 

Dr. Davoren. Well, I am not as familiar enough with the actual 
channels for discipline that might be appropriate in such a case. I 
think that we have made good moves to try and keep people from 
keeping such information on devices. But, obviously, it can happen. 
I think everything is, in fact, a risk benefit assessment. 

If you encrypt the desktops as has been proposed, if it takes me 
25 minutes to get into the data that I need, I am going to tell you 
as a clinician, I don’t believe that is worth it. But the data is much 
more secure that way. And you will have prevented other people 
from seeing it even if I can’t use it for the veteran in front of me. 

So I think everything is about a balance. So I think in order to 
answer your question, the — how does the information security offi- 
cer know everything that is on the thumb drive, with current tech- 
nology, I don’t believe there is a way to do so. So I believe that 
there is a certain amount of policy and procedure that always ex- 
ists independent of the actual technical action that is taken. 

But I think it is just as important that we have the avenues of 
communication open to be able to discern when those become or ap- 
pear to be punitive at the end result and when they appear to be 
completely justified. 

But I don’t know that I am qualified to tell you exactly what 
should happen. 

Mr. Wu. I can appreciate that. And I thank Chairman Filner. 

The Chairman. Thank you, Mr. Wu, for your contributions. I just 
want to give our counsel a couple of questions. And then we 
will 

Mr. Bestor. I don’t have a phone book. So I can’t read from that. 
And I wouldn’t suggest that Art was doing that either. Sorry. 

But actually. Dr. Tibbits, I wanted to ask you a couple of ques- 
tions about the seamless transfer of information between DoD and 
VA, because obviously that is a big issue. There a lot of resources 
being spent on it. 

The first thing about the possibility that VistA could be used by 
DoD, of course, nobody would suggest that you just parachute 
VistA into DoD. Presumably there would have to be some kind of 
development of DoD — of VistA to be — to make it possible for DoD 
to use it. 

Clearly there are requirements that DoD has like readiness that 
the VA — and I keep hearing readiness is the big one. There is a 
chart on my wall of the information systems in DoD. It is only 
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eight-and-a-half by eleven. But it has got at least, I don’t know, 
100-150 different little points on it. 

Obviously, there would be a development process that one would 
have to go through. But it is the case that something like 75 per- 
cent of new docs have had some experience on VistA, because they 
go through a VA rotation during their residencies these days. 

And it is also true that a development process might be able to 
address those. The question is why isn’t that being done? I mean, 
why — what is it about VistA that makes DoD so resistant to even 
looking at that as the in patient — well, not in patient, as the clin- 
ical medical record? 

Dr. Tibbits. Well, that is also a very good question. And there 
are probably lots of things. So let me — I guess I am going to basi- 
cally think out loud with you. 

I would also, obviously, encourage you to ask DoD that question, 
because I don’t want to speak for them 

Mr. Bestor. Obviously. 

Dr. Tibbits [continuing]. As to what is in their mind with respect 
to VistA. 

So let me speak about objectives again and start off there. Your 
preamble included, I think, information sharing or something or 
serving veterans in — leading into your question. 

I would say that were we able to do the development work to put 
VistA into the Department of Veterans Affairs in some way, shape, 
or form, might be a very good idea. And I am going to come back 
to that in a minute. It might be a very good idea and might be fea- 
sible. 

I just want to go back for a moment, however, to my earlier dis- 
cussion about email and the Englishman and the Frenchman. Let 
us not make the mistake that no matter how much development 
works goes on to put VistA into the Department — into DoD. No 
matter how much work goes on and if it is feasible, do not make 
the mistake of believing that that will accomplish information 
interoperability. It will not. It will do other things. 

You mentioned, for example, most doctors who go through train- 
ing today in the United States in some way, shape, or form go 
through the VA. True. Therefore, most of them have used VistA. 
True. And, in fact, most of them like it. True. 

Okay. So what would putting VistA in the Department of De- 
fense do today? It would probably reduce the training burden for 
those doctors over there, because they are already familiar with 
VistA. It might improve penetration of information technology into 
healthcare delivery in the Department of — in DoD, because VistA 
has a much higher success rate with respect to penetration and to 
healthcare than Alta does in the Department of Defense. 

So some very good things might happen by doing that. Just don’t 
put your eggs in that basket with respect to information interoper- 
ability between the two departments. It won’t accomplish that. 

The information interoperability between the two departments 
has got to deal with the data and how the data goes between the 
two departments, whether we put VistA over there or not. 

Now with respect to some other considerations, let me bring you 
all around to the notion of templates and structured data. We in 
the Department of Veterans Affairs right now are beginning more 
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and more to use templates. We are beginning to use templates for 
the assessment of patients for the purpose of disability determina- 
tion. Those are coming largely out of Steve Brown in Nashville 
with the Compensation and Pension Exam Program initiative. The 
acronym explanation, which I don’t remember. Clinical evaluation, 
something or other. 

Anyway, lots of good work going on with respect to templates 
there. So we are moving in that direction. 

One of the major stumbling points, there are several, but one of 
the major stumbling points on the Alta side in DoD is that over 
there doctors hate templates. And the very — one of the high, high, 
high design objectives of Alta, irrespective of what clinicians in the 
clinic wanted, was to have machine-readable concepts captured 
when the clinician put data into the system, the history, the phys- 
ical, all the unstructured stuff, the text. My chief — I got sick 3 days 
ago when I hit my head on the door, and so forth, and so forth. 

To do all that in machine-readable terminology so that the sys- 
tem could do two things, automatically read that stuff and suggest 
codes so that the implantable cardioverter-defibrillator and current 
procedural terminology coding would happen automatically. Could 
be suggested to the doctor. The doctor attests to the legitimacy of 
the coding. That is for productivity measurement. 

And the second thing is for syndromic surveillance with respect 
to bioterrorism. So when all those symptoms, I have fever, I have 
a headache, are in there in machine-readable terms that the com- 
puter can understand, the computer can then begin to do epidemio- 
logic surveillance even if the doctor’s diagnosis is wrong. It doesn’t 
depend any longer on the doctor’s diagnosis, incomplete or wrong, 
because symptoms can directly be searched. That requires ma- 
chine-readable data entry, the thesaurus we talked about before. 

Well that creates an incredible imposition on physicians with re- 
spect to their normal workflow when they are seeing patients. They 
hate it by and large. 

So there is this very interesting sort of debate of objectives, I 
guess, between the two departments where we are moving toward 
templates. DoD is figuring out how to move somewhat away from 
templates. And do a little bit less of it. And where that balance is 
going to fall, I don’t know. 

Now let me go to theater. Yes, with respect to military support 
of medical — I’m sorry, medical support of military operations that 
is clearly a unique mission the Department of Defense has, which 
we do not have. 

The human form factors of what a computer looks like. Is it a 
Blackberry? Is it a big machine? Is it a desktop? How big the 
screen is. Does it operate in the mud? Can it operate in the rain? 
All those kind of factors. How screen — how fast the screen paint 
time is. 

Communications, in theater, while communications may not be 
universally available in the United States, it is a whole lot more 
reliable in the United States than it is in Afghanistan. 

So all the applications in Afghanistan have to be modified for un- 
reliable communications. That is a mission the Department of Vet- 
erans Affairs does not have. 
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So when applications are being considered in economies of scale 
and all that kind of stuff, are both departments really sure that by 
trying to converge on the application software itself, we are making 
the best economic decision. 

Let me give you an example, a truck. Suppose you had to design 
a truck that had to operate in the mud effectively and drive effi- 
ciently through downtown Washington, DC. I would contend that 
the form factors on that truck might be such that and something 
had to pass between the two trucks. Let us say they’re both ambu- 
lances, and you had to pass patients between the two. 

I would contend that a whole lot of engineering analysis would 
have to go on to determine is one truck with a certain bit of modi- 
fications the most efficient way to design this new vehicle so that 
it works both in the mud, and Afghanistan, and in downtown 
Washington, DC, or is it cheaper and more effectively to simply de- 
sign two trucks where the back doors fit each other and we can 
pass the patient through it? 

I would contend that is not a foregone conclusion. And it has to 
be thought through. 

The Chairman. Actually, Doctor, I can think of a response to 
that analogy, but I don’t want to keep us all here. You and I are 
going to be talking a lot. 

Dr. Tibbits. Great. 

The Chairman. So we can talk about that some more. You know, 
it is really about information exchange. It is not — wouldn’t you 
want the same size bolts and all that kind of stuff. But let us not 
go there. 

Let me ask you about this interoperability thesaurus. Tell — the 
Clinical Data Repository/Health Data Repository (CHDR) the VA is 
working on, is that the thesaurus work that you are talking about, 
the updated repository? 

Dr. Tibbits. Yes. That is the thesaurus work on our side. 

The Chairman. Right. And the Clinical Data Repository (CDR) 
is the thesaurus work on DoD’s side, correct. 

Dr. Tibbits. That is correct. 

The Chairman. And we are looking at timeframes that are 8 
years out? 

Dr. Tibbits. Could possibly be, which is why I am suggesting we 
need a simplifying construct to accelerate that work. 

The Chairman. Okay. I am not sure what you mean by “a simpli- 
fying construct.” You can have interim solutions even if you are 
continuing to work toward that long-term goal. 

Dr. Tibbits. Exactly right. And 

The Chairman. And is that what you mean? 

Dr. Tibbits. Yeah. It is what I mean. And those interim solu- 
tions, if we focus on information interoperability for the purpose of 
serving veterans 

The Chairman. Right. 

Dr. Tibbits [continuing]. And don’t distract ourselves at the ap- 
plication software level and worry about what will work in theater 
and all that stuff. If we don’t distract ourselves with that question, 
focus on the information number one. Number two, focus on what 
the high-priority problems are today that we need to fix for 
servicemembers and veterans. 
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The Chairman. Right. 

Dr. Tibbits. Traumatic brain injury, PTSD, amputation. What is 
the information exchange that has to go on between the two de- 
partments to optimally handle those conditions? 

The Chairman. Right. 

Dr. Tibbits. That is a list. Some of that list could, in fact, be 
computable. Some of it may be computable already today. Some of 
that list might not be computable, but exchangeable today in non- 
computable fashion, fine. 

And some of that list might not yet have been addressed. But 
could be addressed in a non-computable fashion, so we don’t need 
a thesaurus solution. 

The Chairman. Right. 

Dr. Tibbits. But those layers of composite approaches that I just 
described could be put in place in an organized manner and plan 
that would greatly accelerate the information exchange between 
the two departments. And alleviate as to some extent of this crit- 
ical path thesaurus work that is going to — it is by definition going 
to still take a long time. 

The Chairman. Right. 

Dr. Tibbits. One more comment. I would suggest, and I have 
suggested by the way, the Administration has put a very high pri- 
ority in VA/DoD collaboration. I assume you all know that. Both 
the Deputy Secretaries of both departments meet weekly on this 
subject. I am part of that process with Secretary England and Sec- 
retary Mansfield. They have their four-stars in the building meet- 
ing with the Undersecretaries, and so forth, and on our side as 
well. 

I have suggested to that group, and DoD has agreed, that we will 
also undertake another level of assessment with respect to inter- 
operability. And you mentioned the two key elements, the health 
data repository and the clinical data repository, which today are 
connected together by a wire over which we transmit standardized 
data called CHDR. 

The Chairman. Right. 

Dr. Tibbits. CHDR. 

The Chairman. Right. 

Dr. Tibbits. My proposition to the Department of Defense is why 
don’t we simply put a workgroup together, which we now have 
done by the way. Why don’t we put a workgroup together to look 
at the entire constructive Health Data Repository, the entire con- 
structive of the CDR? See if we can eliminate those two things as 
two separate constructs and simply create one common database 
under both medical records. 

If we can create one common database under both medical 
records, then the application software doesn’t matter anymore. 

The Chairman. Right. 

Dr. Tibbits. DoD can use their Alta. We could use our VistA. In- 
dian Health Service, if we wanted to, they could use their Indian 
Health Service applications. If we all put stuff in the same data- 
base, we will have achieved the information interoperability objec- 
tives we need to serve veterans. And completely end this debate 
about whose application is better or more suited to the target envi- 
ronment. 
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The Chairman. Right. And so what is the timeframe? Suppose 
tomorrow they say do it. How long does it take to do it? 

Dr. Tibbits. To put those two databases together? 

The Chairman. Yes. 

Dr. Tibbits. I would say it is going to give — I would say it is 
going to take us probably 6 months to have an answer as to wheth- 
er it is feasible and will save us time. 

My hypothesis is that it will be feasible and it will save us time. 
That is a hypothesis that remains to be confirmed. 

The Chairman. Okay. And is what you just described doing test- 
ing that hypothesis? 

Dr. Tibbits. Yes. That is the study that is going on. 

The Chairman. Okay. 

Dr. Tibbits. Yes. We have launched that study. Yes. 

The Chairman. Thank you very much. I think we have learned 
a lot. I appreciate your input. You read too much Dr. Seuss, will 
it work in the mud? Will it work on the scud? Will it work with 
a lot of blood? His widow lives in my district. So I am going to 
bring this to her. 

But thank you very much. Thank you very much Mr. Wu. Thank 
you, Mr. Bestor. We have a lot of work. Everybody is impatient. So 
if you need more resources to go faster, let us know please. 

General, do you have anything to add? 

General Howard. Sure. We just appreciate your support. And we 
are in constant communication with your staff. And if we need 
help, rest assured we will come forward. 

The Chairman. Thank you, sir. This hearing is adjourned. 

[Whereupon, the Committee was adjourned.] 



APPENDIX 


Prepared Statement of Hon. Bob Filner, 

Chairman, Full Committee on Veterans’ Affairs 

Thank you all for coming here today for this hearing on VA’s information tech- 
nology reorganization efforts. We will examine the progress the VA has made in cen- 
tralizing its IT efforts. 

We shall explore the progress the VA has made in its efforts to be the “gold stand- 
ard” of information security among Federal agencies, a goal enunciated by Secretary 
Nicholson in the wake of last year’s data breach involving over 25 million veterans 
and the incident earlier this year in Birmingham, Alabama. 

This Committee understands that IT centralization will not happen overnight, nor 
are we asking it to, but we are asking — and our veterans are demanding — that the 
VA to be held accountable for getting the job done. 

This past June, the Government Accountability Office (GAO), while praising the 
commitment from senior leadership, found fault with a number of areas in the VA’s 
efforts, areas that hinder the VA’s ability to successfully reach its reorganization goals. 

They included . . . rejecting GAO’s recommendation that VA create a dedicated 
implementation team responsible for day-to-day management of major change initia- 
tives. Instead, VA is apparently dividing the responsibility among two organizations 
in the new structure. GAO was concerned that this approach would not work, and 
so is this Committee. 

More recently, GAO reported that of J7 recommendations made by the VA In- 
spector General, 16 had not yet been implemented. Implementing these rec- 
ommendations is essential if the VA is to protect private information and meet its 
obligations under the Federal Information Security Management Act (FISMA). 

In the final analysis, we must remember that IT is merely a tool, a tool used by 
the VA in furtherance of its mission of caring for veterans. This Committee has con- 
tinued to work in a bipartisan fashion to encourage the VA to centralize its IT ef- 
forts. These efforts will lead to concrete benefits for both the VA, taxpayers, and 
most importantly our veterans. 

As we look to the VA to better manage its IT efforts, and to take the lead in data 
security efforts, we must also ensure these efforts do not unduly harm the VA’s mis- 
sion of providing healthcare and benefits to our veterans. 

Our charge is to ensure that while VA is carr3dng out its mission, it does so with 
the best and most up-to-date technology the 21st centuiy provides, while securing 
that technology from outside manipulation and preventing improper disclosure of 
our veterans’ confidential information. 

VA, at the same time, must continue the creativity and innovation in the use of 
electronic medical and other systems that has put VA at the forefront of medical 
care. These are not easy tasks. We are heartened by many of the steps the VA has 
undertaken, but remained concerned that more should be done, and could be done 

. . . faster. 

We remain hopeful that the VA can simultaneously provide our veterans the 
greatest security, management and healthcare. Undoubtedly, the efficient and effec- 
tive management and operation of the VA IT efforts will realize tangible benefits 
for our veterans. 


Prepared Statement of Hon. Stephanie Herseth Sandlin, 
a Representative in Congress from the State of South Dakota 

Thank you Chairman Filner and Ranking Member Buyer for holding today’s hear- 
ing to evaluate the VA’s reorganization of its information technology infrastructure 
and management. 

Considering the numerous hearings that this Committee dedicated last year to in- 
vestigating the VA’s information technology problems, it is only right that we take 
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this opportunity to follow-up on the progress of VA’s reorganization efforts. This 
Committee, and Congress as a whole, have a responsibility to remain vigilant in its 
oversight role to ensure the VA continues to move forward in its pledge to protect 
the private information of our Nation’s veterans. 

I share the frustration of my colleagues regarding the repeated failures to change 
the VA’s information organizational structure and the recurring instances of lost 
personal information. 

I thank Mr. Howard and Mr. Claudio for testifying today. I have heard good 
things about your commitment to providing a secure information technology envi- 
ronment. In order for this Committee to properly conduct its oversight responsibil- 
ities we must be able to engage in an open and honest discussion. It is extremely 
valuable for the Committee to hear from those of you on the frontline working to 
bring down the institutional barriers of VA’s current IT organizational structure. 

While the VA has taken important steps toward completing information tech- 
nology realignment, many questions remain unanswered and many changes to the 
VA’s policies, regarding the handling of sensitive information, will need to be made. 

I hope that today’s hearing will shed some light on these unanswered questions 
and lead to better safeguarded information security systems at the VA. 

We must work to ensure that the personal information of our Nation’s veterans 
is protected and these widely reported security incidents never happen again. 

Thank you again Mr. Chairman. I look forward to hearing from today’s witnesses. 


Prepared Statement of Hon. Henry E. Brown, Jr., 
a Representative in Congress from the State of South Carolina 

Mr. Chairman and Ranking Member Buyer, thank you for calling this hearing to 
examine the VA’s information technology management structure. I hope that this 
Committee will take a serious step in addressing one of the biggest challenges fac- 
ing the Department today; improving the capabilities of VA’s information technology 
system, while strengthening security measures. 

As the Congress and this Committee looks at VA’s information technology reorga- 
nization and the progress that they have made as a result of establishing a central- 
ized management system, I am hopeful that we will do so in a way that focuses on 
the bipartisan concern we have for the wellbeing of our Nation’s veterans. I believe 
that improving access to healthcare, providing benefits, and implementing informa- 
tion technology go hand-in-hand as we work to ensure that our Nation’s veterans 
have all the resources they need to make a seamless transition into civilian life. 

In closing, Mr. Chairman, I look forward to hearing from our witnesses this morn- 
ing and the discussion that we will have on this important issues. Again, Mr. Chair- 
man, thank you for the time, which I now yield back. 


Prepared Statement of Hon. Ginny Brown-Waite, 
a Representative in Congress from the State of Florida 

Thank you Mr. Chairman, 

I want to thank all of our witnesses here today for testifying before this Com- 
mittee. There has been a great deal of focus placed on the use of Information Tech- 
nology at the Department of Veterans Affairs. The VA relies heavily on information 
technology to carry out its important mission of serving our Nation’s veterans. 

The VA undertook an ambitious process to recentralize its IT functions in 2003 
and learned many valuable lessons as a result. This has led Secretary Nicholson to 
approve a federated IT management system for the VA. In this new federated sys- 
tem, the VA divided operations and maintenance from systems development. Inno- 
vative thinking like this is needed to ensure that the VA is meeting the needs of 
veterans in an effective and efficient manner. 

Overhauling the IT system at the VA has been a long and difficult process and 
completion of the realignment is scheduled for July 2008. However, a June 2007, 
GAO report states, that the VA risks jeopardizing the success of these efforts and 
may not realize the long-term benefits of the realignment if they do not comply with 
the recommendations made by the GAO. I look forward to hearing more about these 
recommendations from both the GAO and the VA here today. 

Once again, I welcome you to the hearing and look forward to hearing your 
thoughts on the issue before us today. 
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Prepared Statement of Hon. John T. Salazar, 
a Representative in Congress from the State of Colorado 

Thank you Mr. Chairman. 

Mr. Chairman, I’m a potato farmer, and in the 30 years that I’ve heen farming 
I’ve seen how technology has changed farming operations all over the world. 

Change and advancement are inevitable when it comes to technology. It’s the na- 
ture of the beasts. 

A farmer can spend hundreds of thousands of dollars on a single piece of equip- 
ment, but unless that farmer knows how to manage that machine and manages it 
correctly, that tractor will destroy the crops the farmer is attempting to harvest. 

We could have the most advanced technology in the world, but it’s useless if we 
fail to manage it properly. 

A year ago, we heard about an employee of the VA who had his laptop stolen, 
potentially compromising the personal records of over 2 million veterans. 

Since then, important steps have been taken by the VA to minimize the possibility 
of these types of things from happening in the future. Some of these steps have been 
taken voluntarily by the VA and some have been mandated by Congress. 

Last year, there were major changes in the management of IT affairs at VA, and 
this hearing is a chance to get a reading on the impact of that change. 

This hearing and the multiple hearings we’ve had in the last few years like this 
one are about more than just the IT department in a government agency. 

The records being kept by VA belong to real people; men and women who served 
our country during both times of peace and times of conflict. 

I look forward to the testimony from our witnesses. I hope to get a better sense 
of where the Department is and where it plans to go with the technology it has in 
its hands. 


Prepared Statement of Valerie C. Melvin, Director, 

Human Capital and Management Information Systems Issues, 

U.S. Government Accountability Office 

Veterans Affairs — Sustained Management Commitment and Oversight are 
Essential to Completing Information Technology Realignment and 
Strengthening Information Security 

GAO Highlights 

Why GAO Did This Study 

The Department of Veterans Affairs (VA) has encountered numerous challenges 
in managing its information technology (IT) and securing its information systems. 
In October 2005, the department initiated a realignment of its IT program to pro- 
vide greater authority and accountability over its resources. The May 2006 security 
incident highlighted the need for additional actions to secure personal information 
maintained in the department’s systems. 

In this testimony, GAO discusses its recent reporting on VA’s realignment effort 
as well as actions to improve security over its information systems. To prepare this 
testimony, GAO reviewed its past work on the realignment and on information secu- 
rity, and it updated and supplemented its analysis with interviews of VA officials. 

What GAO Recommends 

In recent reports, GAO made recommendations aimed at improving VA’s manage- 
ment of its realignment efforts and information security program. 

What GAO Found 

VA has fully addressed two of six critical success factors GAO identified as essen- 
tial to a successful transformation, but it has yet to fully address the other four, 
and it has not kept to its scheduled timelines for implementing new management 
processes that are the foundation of the realignment. That is, the department has 
ensured commitment from top leadership and established a governance structure to 
manage resources, both of which are critical success factors. However, the depart- 
ment continues to operate without a single, dedicated implementation team to man- 
age the realignment; such a dedicated team is important to oversee the further im- 
plementation of the realignment, which is not expected to be complete until July 
2008. Other challenges to the success of the realignment include delays in staffing 
and in implementing improved IT management processes that are to address long- 
standing weaknesses. The department has not kept pace with its schedule for imple- 
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menting these processes, having missed its original scheduled timeframes. Unless 
VA dedicates a team to oversee the further implementation of the realignment, in- 
cluding defining and establishing the processes that will enable the department to 
address its IT management weaknesses, it risks dela 3 dng or missing the potential 
benefits of the realignment. 

VA has begun or continued several major initiatives to strengthen information se- 
curity practices and secure personally identifiable information within the depart- 
ment, but more remains to be done. These initiatives include continuing the depart- 
ment’s efforts to reorganize its management structure; developing a remedial action 
plan; establishing an information protection program; improving its incident man- 
agement capability; and establishing an office responsible for oversight and compli- 
ance of IT within the department. However, although these initiatives have led to 
progress, their implementation has shortcomings. For example, although the man- 
agement structure for information security has changed under the realignment, im- 
proved security management processes have not yet been completely developed and 
implemented, and responsibility for the department’s information security functions 
is divided between two organizations, with no documented process for the two offices 
to coordinate with each other. In addition, VA has made limited progress in imple- 
menting prior security recommendations made by GAO and the department’s In- 
spector General, having yet to implement 22 of 26 recommendations. Until the de- 
partment addresses shortcomings in its major security initiatives and implements 
prior recommendations, it will have limited assurance that it can protect its systems 
and information from the unauthorized disclosure, misuse, or loss of personally 
identifiable information. 


Mr. Chairman and Members of the Committee: 

Thank you for inviting us to participate in today’s hearing on the Department of 
Veterans Affairs (VA) realignment of its information technology management struc- 
ture and actions toward strengthening its information security program. In carr 3 dng 
out its mission of serving our Nation’s veterans, the department relies heavily on 
information technology (IT), for which it expends about $1 billion annually. As you 
know, however, VA has encountered persistent challenges in IT management, hav- 
ing experienced cost, schedule, and performance problems in its information system 
initiatives, as well as losses of sensitive information contained in its systems. We 
have reported that a contributing factor to VA’s challenges in managing projects and 
improving security was the department’s management structure, which until re- 
cently was decentralized, giving the administrations ^ and headquarters offices ^ con- 
trol over a majority of the department’s IT budget. 

In October 2005, VA initiated a realignment of its IT program to provide greater 
authority and accountability over its resources. In undertaking this realignment 
(due for completion in July 2008), the department’s goals are to centralize IT man- 
agement under the department-level Chief Information Officer (CIO) and stand- 
ardize operations and the development of systems across the department through 
the use of new management processes based on industry best practices. This past 
June we reported on the department’s realignment initiative, noting progress as 
well as the need for additional actions to be completed. ^ Just last week, we also 
released a report on VA information security, which included an assessment of the 
realignment with regard to the department’s information security practices. 

At your request, my testimony today will summarize the department’s actions to 
realign IT management and our findings regarding the department’s information se- 
curity program. In developing this testimony, we reviewed our previous work on the 
department’s realignment and efforts to strengthen information security. We also 
obtained and analyzed pertinent documentation and supplemented our analysis 
with interviews of responsible VA officials to determine the current status of the de- 
partment’s realignment efforts. All work on which this testimony is based was con- 
ducted in accordance with generally accepted government auditing standards. 


^The VA comprises three administrations: the Veterans Benefits Administration, the Veterans 
Health Administration, and the National Cemetery Administration. 

2 The headquarters offices include the Office of the Secretary, six Assistant Secretaries, and 
three VA-level staff offices. 

3 GAO, Veterans Affairs: Continued Focus on Critical Success Factors Is Essential to Achiev- 
ing Information Technology Realignment, GAO-07-844 (Washington, D.C.: June 15, 2007). 

^ GAO, Information Security: Sustained Management Commitment and Oversight Are Vital to 
Resolving Longstanding Weaknesses at the Department of Veterans Affairs, GAO-07— 1019 
(Washington, D.C.: Sept. 7, 2007). 



59 


Results in Brief 

VA has fully addressed two of six critical success factors we have identified as es- 
sential to a successful transformation, but it has not kept to its timelines for imple- 
menting new management processes that are the foundation of the realignment. 
Consequently, the department is in danger of not being able to meet its 2008 tar- 
geted completion date. The department has ensured commitment from top leader- 
ship and established a governance structure to manage resources, both of which are 
critical success factors. However, the department continues to operate without a sin- 
gle, dedicated implementation team to manage the realignment; such a dedicated 
team is important to oversee the further implementation of the realignment. Other 
challenges to the success of the realignment include delays in staffing and in imple- 
menting the IT management processes that are the foundation of the realignment. 
The department has not kept pace with its schedule for implementing these proc- 
esses, having missed its original scheduled timeframes. Unless VA dedicates a team 
to oversee the further implementation of the realignment, including defining and es- 
tablishing the processes that will enable the department to address its IT manage- 
ment weaknesses, it risks dela 3 dng or missing the potential benefits of the realign- 
ment. 

VA has made progress in strengthening information security, but much work re- 
mains to resolve longstanding security weaknesses. The department has begun or 
has continued several major initiatives to strengthen information security practices 
and secure personally identifiable information ® within the department. These initia- 
tives include continuing the department’s efforts, as described above, to realign its 
management structure; developing a remedial action plan; establishing an informa- 
tion protection program; improving its incident management capability; and estab- 
lishing an office responsible for oversight and compliance of IT within the depart- 
ment. However, although these initiatives have led to progress, their implementa- 
tion has shortcomings. For example, a new security management structure has been 
implemented, but improved security management processes have not yet been com- 
pletely developed and implemented; in addition, the new security management 
structure divides the responsibility for the department’s information security func- 
tions between two organizations, with no documented process for the two offices to 
coordinate with each other. Further, the department has made limited progress in 
addressing prior GAO and Inspector General recommendations to improve security: 
although VA has taken steps to address these, it has not yet completed the imple- 
mentation of 22 out of 26 prior recommendations. 

In the reports covered by this testimony, we have made numerous recommenda- 
tions aimed at improving the department’s management of its realignment and in- 
formation security program. VA has agreed with these recommendations and has 
begun taking or plans to take action to implement them. If this implementation is 
properly executed, it could help the department to realize the expected benefits of 
the realignment, as well as to better secure its information and systems. 

Background 

VA’s mission is to promote the health, welfare, and dignity of all veterans in rec- 
ognition of their service to the nation by ensuring that they receive medical care, 
benefits, social support, and lasting memorials. Over time, the use of IT has become 
increasingly crucial to the department’s effort to provide benefits and services. VA 
relies on its systems for medical information and records for veterans, as well as 
for processing benefit claims, including compensation and pension and education 
benefits. 

In reporting on VA’s IT management over the past several years, we have high- 
lighted challenges the department has faced in enabling its employees to help vet- 
erans obtain services and information more quickly and effectively while also safe- 
guarding personally identifiable information. A major challenge was that the depart- 
ment’s information systems and services were highly decentralized, giving the ad- 
ministrations a majority of the IT budget. ® In addition, VA’s policies and procedures 
for securing sensitive information needed to be improved and implemented consist- 
ently across the department. 


^ Personally identifiable information, which can be used to locate or identify an individual, in- 
cludes things such as names, aliases, and Social Security numbers. 

®For example, according to an October 2005 memorandum from the former CIO to the Sec- 
retary of Veterans Affairs, the CIO had direct control over only 3 percent of the department’s 
IT budget and 6 percent of the department’s IT personnel. In addition, in the department’s fiscal 
year 2006 IT budget request, the Veterans Health Administration was identified to receive 88 
percent of the requested funding, while the department was identified to receive only 4 percent. 
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As we have previously pointed out, ^ it is crucial for the department CIO to ensure 
that well-established and integrated processes for leading, managing, and control- 
ling investments in information systems and programs are followed throughout the 
department. Similarly, a contractor’s assessment of VA’s IT organizational align- 
ment, issued in February 2005, noted the lack of control over how and when money 
is spent. ® The assessment noted that the focus of department-level management 
was only on reporting expenditures to the Office of Management and Budget and 
Congress, rather than on managing these expenditures within the department. 

Centralized IT Organization 

In response to the challenges that we and others have noted, the department offi- 
cially began its effort to provide the CIO with greater authority over IT in October 
2005. At that time, the Secretary issued an executive decision memorandum grant- 
ing approval for the development of a new management structure for the depart- 
ment. According to VA, its goals in moving to centralized management are to enable 
the department to perform better oversight of the standardization, compatibility, 
and interoperability of systems, as well as to have better overall fiscal discipline for 
the budget. 

In February 2007, the Secretary approved the department’s new organizational 
structure, which includes the Assistant Secretary for Information and Technology, 
who serves as VA’s CIO. As shown in figure 1, the CIO is supported by a principal 
deputy assistant secretary and five deputy assistant secretaries — new senior leader- 
ship positions created to assist the CIO in overseeing functions such as cyber secu- 
rity, IT portfolio management, systems development, and IT operations. 

Figure 1 — Office of Information and Technology Organizational Chart 
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Note: DAS = Deputy Assistant Secretary 

In addition, the Secretary approved an IT governance plan in April 2007 that is 
intended to enable the Office of Information and Technology to centralize its deci- 
sionmaking. The plan describes the relationship between IT governance and depart- 
mental governance and the approach the department intends to take to enhance IT 
governance. The department also made permanent the transfer of its entire IT 
workforce under the CIO, consisting of approximately 6,000 personnel from the ad- 
ministrations. Figure 2 shows a timeline of the realignment effort. 

Figure 2 — Timeline of Key Events for VA IT Realignment 


N«w 0(kC« «( Monntkon and 

Ttetmeiogir OfganuMon aiructur* IT Gowamanc* Plan 

approvad by Sacrataty appfo»adbyVASac»atary 


Tranalar o< opanbona and 

1 

i 

Tfinalaf o< da»a>opn>anl 

maaaananoa ftiP mada parmanani 


Stan mada pannanara 

RaaaQMnani conaaciof bagina 

1 



Plannad roAng anplatnanlaaon ol 

NOfktoaaaatVAnraaagnmani | 



eanaakad IT managamam proeaaaaa 

VASacratary 





Sctiaduiad 

appfovaa naw IT 





cemplaaon data lor 

atanapa^am aMlam 

1 




i. VA IT raakonmant 

1 1 

1 

: 3 


jj 

1 


20 « I 200 a I 2007 i 20 oa 


7GAO-07-844. 

® Gartner Consulting, OneVA IT Organizational Alignment Assessment Project “As-Is” Base- 
line (McLean, Virginia; Feb. 18, 2005). 
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Multiple Factors Increasing Risk to Success of Realignment 

Although VA has fully addressed two of six critical success factors that we identi- 
fied as crucial to a major organizational transformation such as the realignment, it 
has not fully addressed the other four factors, and it has not kept to its scheduled 
timelines for implementing new management processes that are the foundation of 
the realignment. Consequently, the department is in danger of not being able to 
meet its target of completing the realignment in July 2008. In addition, although 
it has prioritized its implementation of the new management processes, none has 
yet been implemented. In our recent report, ^ we made six recommendations to en- 
sure that VA’s realignment is successfully accomplished; the department generally 
concurred with our recommendations and stated that it had actions planned to ad- 
dress them. 

VA Has Not Fully Addressed All Critical Success Factors 

We have identified critical factors that organizations need to address in order to 
successfully transform an organization to be more results oriented, customer fo- 
cused, and collaborative in nature. Large-scale change management initiatives are 
not simple endeavors and require the concentrated efforts of both leadership and 
employees to realize intended synergies and to accomplish new organizational goals. 
There are a number of key practices that can serve as the basis for Federal agencies 
to transform their cultures in response to governance challenges, such as those that 
an organization like VA might face when transforming to a centralized IT manage- 
ment structure. 

The department has fully addressed two of six critical success factors that we 
identified (see table 1). 


Table 1 — Current Status of VA’s Aetions to Address Critieal Suceess Faetors 


Critical success factor 

Status as of September 2007 

Ensuring commitment from top 
leadership 

Fully addressed: Secretary Nicholson approved the new 
organization structure and the transfer of employees. 

Establishing a governance 

structure to manage resources 

Fully addressed: Secretary Nicholson approved the IT 
governance plan, and VA established three new IT 
governance boards that began meeting earlier this year. 

Linking IT strategic plan to or- 
ganization strategic plan 

Partially addressed: The department has developed a 
draft IT strategic plan and expects to finalize it in October 
2007. 

Using workforce strategic man- 
agement to identify proper 
roles for all employees 

Partially addressed: VA has identified job requirements, 
has begun to develop career paths for IT staff, and has not 
yet established a knowledge and skills inventory. 

Communicating change to all 
stakeholders 

Partially addressed: VA increased communication on the 
realignment, but has not staffed a key communication 
office. 

Dedicating an implementation 
team to manage change 

Not addressed: The department does not have an 
implementation team to manage the realignment. 


Source: GAO. 


Ensuring commitment from top leadership. The department has fully addressed 
this success factor. As described earlier, the Secretary of VA has fully supported the 
realignment. He approved the department’s new organizational structure and pro- 
vided resources for the realignment effort. 

However, the Secretary recently submitted his resignation, indicating that he in- 
tended to depart by October 1, 2007. While it is unclear what effect the Secretaries 
departure will have on the realignment, the impending departure underscores the 
need for consistent support from top leadership through the implementation of the 
realignment, to ensure that its success is not at risk in the future. 


9GAO-07-844. 

i^’GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organiza- 
tional Transformations, GAO— 03— 669 (Washington, D.C.: July 2, 2003); and Highlights of a GAO 
Forum: Mergers and Transformation: Lessons Learned for a Department of Homeland Security 
and Other Federal Agencies, GAO-03-293SP (Washington, D.C.: Nov. 14, 2002). 
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Establishing a governance structure to manage resources. The department has 
fully addressed this success factor. The department has established three govern- 
ance boards, which have begun operation. The VA IT Governance Plan, approved 
April 2007, states that the establishment and operation of these boards will assist 
in providing the department with more cost-effective use of IT resources and assets. 

The department also has plans to further enhance the governance structure in re- 
sponse to operational experience. The department found that the boards’ responsibil- 
ities need to be more clearly defined in the IT Governance Plan to avoid overlap. 
That is, one board (the Business Needs and Investment Board) was involved in the 
budget formulation for fiscal year 2009, but budget formulation is also the responsi- 
bility of the Deputy Assistant Secretary for IT Resource Management, who is not 
a member of this board. According to the Principal Deputy Assistant Secretary for 
Information and Technology, the department is planning to update its IT Govern- 
ance Plan within a year to include more specificity on the role of the governance 
boards in VA’s budget formulation process. Such an update could further improve 
the structure’s effectiveness. 

Linking IT strategic plan to organization strategic plan. The department has par- 
tially addressed this success factor. VA has drafted an IT Strategic Plan that pro- 
vides a course of action for the Office of Information and Technology over 5 years 
and addresses how IT will contribute to the department’s strategic plan. According 
to the Deputy Director of the Quality and Performance Office, the draft IT strategic 
plan should be formally approved in October 2007. Finalizing the plan is essential 
to helping ensure that leadership understands the link between VA’s organizational 
direction and how IT is aligned to meet its goals. 

Using workforce strategic management to identify proper roles for all employees. 
The department has partially addressed this success factor. The department has 
begun to identify job requirements, design career paths, and determine rec- 
ommended training for the staff that were transferred as part of the realignment. 
According to a VA official, the department identified 21 specialized job activities, 
such as applications software and end user support, and has defined competency 
and proficiency targets for 6 of these activities. Also, by November 2007, VA ex- 
pects to have identified the career paths for approximately 5,000 of the 6,000 staff 
that have been centralized under the CIO. Along with the development of the com- 
petency and proficiency targets, the department has identified recommended train- 
ing based on grade level. However, the department has not yet established a knowl- 
edge and skills inventory to determine what skills are available in order to match 
roles with qualifications for all employees within the new organization. It is crucial 
that the department take the remaining steps to fully address this critical success 
factor, so that the staff transferred to the Office of Information and Technology are 
placed in positions that best suit their knowledge and skills, and the organization 
has the personnel resources capable of developing and delivering the services re- 
quired. 

Communicating change to all stakeholders. The department has partially ad- 
dressed this success factor. The department began publishing a bimonthly news- 
letter in June to better communicate with all staff about Office of Information and 
Technology activities, including the realignment. However, the department has not 
yet fully staffed the Business Relationship Management Office or identified its lead- 
ership. This office is to serve as the single point of contact between the Office of 
Information and Technology and the administrations; in this role, it provides the 
means for the Office of Information and Technology to understand customer require- 
ments, promote services to customers, and monitor the quality of the delivered serv- 
ices. A fully staffed and properly led Business Relationship Management Office is 
important to ensure effective communication between the Office of Information and 
Technology and the administrations. 

Communicating the changed roles and responsibilities of the central IT organiza- 
tion versus the administrations is one of the important functions of the Business 
Relationship Management Office. These changes are crucial to software develop- 
ment, among other things. Before the centralization of the management structure, 
each of the administrations was responsible for its own software development. For 
example, the department’s health information system — the Veterans Health Infor- 
mation System and Technology Architecture (VistA) — was developed in a decentral- 
ized environment. The developers and the doctors, closely collaborating at local fa- 


Competency refers to required capabilities for performing specialized job activities, such as 
business process reengineering or database administration. Proficiency targets indicate the level 
at which the individual can perform these activities. 
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duties, developed and adapted this system for their own spedhc clinic needs. The 
result of their efforts is an electronic medical record that has been fully embraced 
by the physicians and nurses. However, the decentralized approach has also re- 
sulted in each site running a stand-alone version of VistA that is costly to main- 
tain; in addition, data at the sites are not standardized, which impedes the ability 
to exchange computable information. 

Under the new organization structure, approval of development changes for VistA 
will be centralized at the Veterans Health Administration headquarters and then 
approved for development and implementation by the Office of Information and 
Technology. The communications role of the Business Relationship Management Of- 
hce is thus an important part of the processes needed to ensure that users’ require- 
ments will be addressed in system development. 

Dedicating an implementation team to manage change. The department has not 
addressed this success factor. A dedicated implementation team that is responsible 
for the day-to-day management of a major change initiative is critical to ensure that 
the project receives the focused, full-time attention needed to be sustained and suc- 
cessful. VA has not identified such an implementation team to manage the re- 
alignment. Rather, the department is currently managing the realignment through 
two organizations: the Process Improvement Office under the Quality and Perform- 
ance Office (which will lead process improvements) and the Organizational Manage- 
ment Office (which will advise and assist the CIO during the hnal transformation 
to a centralized structure). However, the Executive Director of the Organizational 
Management Office has recently resigned his position, leaving one of the two re- 
sponsible offices without leadership. 

In our view, having a dedicated implementation team to manage major change 
initiatives is crucial to successful implementation of the realignment. An implemen- 
tation team can assist in tracking implementation goals and identifying perform- 
ance shortfalls or schedule slippages. The team could also provide continuity and 
consistency in the face of any uncertainty that could potentially result from the Sec- 
retaries resignation. 

Accordingly, in our recent report we recommended that the department dedicate 
an implementation team to be responsible for change management throughout the 
transformation and that it establish a schedule for the implementation of the man- 
agement processes. 

Department Is Behind Schedule in Implementing IT Management Processes 

As the foundation for its realignment, VA plans to implement 36 management 
processes in hve key areas: enterprise management, business management, business 
application management, infrastructure, and service support. These processes, 
which address all aspects of IT management, were recommended by the depart- 
ment’s realignment contractor and are based on industry best practices, According 
to the contractor, they are a key component of the realignment effort as the Office 
of Information and Technology moves to a process-based organization. Additionally, 
the contractor noted that with a system of defined processes, the Office of Informa- 
tion and Technology could quickly and accurately change the way IT supports the 
department. 

The department had planned to begin implementing the 36 management proc- 
esses in March 2007; however, as of early May 2007, it had only begun pilot testing 
two of these processes. The Deputy Director of the Quality and Performance Office 
reported that the initial implementation of the first two processes will begin in the 
second quarter of 2008. 

The Principal Deputy Assistant Secretary for Information and Technology ac- 
knowledged that the department is behind schedule for implementing the processes, 
but it has prioritized the processes and plans to implement them in three groups. 


VA has achieved an integrated medical information system through the use of the Comput- 
erized Patient Record System in VistA, where authorized users are ahle to access patient health- 
care data from any VA medical facility. 

Incomputable data are in a format that a computer application can act on, for example, to 
provide alerts to clinicians (of such things as drug allergies) or to plot graphs of changes in vital 
signs such as hlood pressure. VA has standardized its pharmacy and allergy data in its health 
data repository. 

i‘‘GAO-07-844. 

in This official was previously the Director of the IT Realignment Office. 

in Specifically, these processes are derived from the IT Governance Institute’s Control Objec- 
tives for Information and related Technology (CobiT®) and Information Technology Infrastruc- 
ture Library (ITIL) as configured by the Process Reference Model for IT (PRM-IT) from a VA 
contractor. 

11 These are the risk management and solution test and acceptance processes. 
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in order of priority (see attachment 1 for a description of the processes and their 
implementation priority). According to the Deputy Director of the Quality and Per- 
formance Office, the approach and schedule for process implementation is currently 
under review. Work on the 10 processes associated with the first group is under 
way, and implementation plans and timeframes are being revised. This official told 
us that initial planning meetings have occurred and primary points of contact have 
been designated for the financial management and portfolio management processes, 
which are to be implemented as part of the first group. The department also noted 
that it will work to meet its target date of July 2008 for the realignment, but that 
all of the processes may not be fully implemented at that time. 

According to the Principal Deputy Assistant Secretary for Information and Tech- 
nology, the department has fallen behind schedule with process implementation for 
two reasons: 

• The department underestimated the amount of work required to redefine the 
36 process areas. Process charters for each of the processes were developed by 
a VA contractor and provide an outline for operation under the new manage- 
ment structure. Based on its initial review, the department found that the proc- 
esses are complicated and multilayered, involving multiple organizations. In ad- 
dition, the contractor provided process charters and descriptions based on a 
commercial, for-profit business model, and so the department must readjust 
them to reflect how VA conducts business. 

• With the exception of IT operations, the Veterans Health Administration oper- 
ates in a decentralized manner. For example, the budget and spending for the 
medical centers are under the control of the medical center directors. In addi- 
tion, the Office of Information and Technology only has ownership over about 
30 percent of all activities within the financial management process. For exam- 
ple some elements within this process area (such as tracking and reporting on 
expenditures) are the responsibility of the department’s Office of Manage- 
ment; this office is accountable for VA’s entire budget, including IT dollars. 
Thus, the Office of Information and Technology has no authority to direct the 
Office of Management to take particular actions to improve specific financial 
management activities. 

The department faces the additional obstacle that it has not yet staffed crucial 
leadership positions that are vital to the implementation of the management proc- 
esses. As part of the new organizational structure, the department identified 26 of- 
fices whose leaders will report to the five deputy assistant secretaries and are re- 
sponsible for carrying out the new management processes in daily operations. How- 
ever, as of early September, 7 of the leadership positions for these 25 offices were 
vacant, and 4 were filled in an acting capacity. According to the Principal Deputy 
Assistant Secretary for Information and Technology, hiring personnel for senior 
leadership positions has been more difficult than anticipated. With these leadership 
positions remaining vacant, the department will face increased difficulties in sup- 
porting and sustaining the realignment through to its completion. 

Until the improved processes have been implemented, IT programs and initiatives 
will continue to be managed under previously established processes that have re- 
sulted in persistent management challenges. Without the standardization that 
would result from the implementation of the processes, the department risks cost 
overruns and schedule slippages for current initiatives, such as VistA moderniza- 
tion, for which about $682 million has been expended through fiscal year 2006. 

VA Has Much Work Remaining To Resolve Long-Standing Seeurity Weak- 
nesses 

Recognizing the importance of securing Federal systems and data. Congress 
passed the Federal Information Security Management Act (FISMA)^® in December 
2002, which sets forth a comprehensive framework for ensuring the effectiveness of 
information security controls over information resources that support Federal oper- 
ations and assets. Using a risk-based approach to information security management, 
the Act requires each agency to develop, document, and implement an agencywide 
information security program for the data and systems that support the operations 
and assets of the agency. According to FISMA, the head of each agency has respon- 
sibility for delegating to the agency CIO the authority to ensure compliance with 
the security requirements in the act. To carry out the CIO’s responsibilities in the 


i®The Assistant Secretary for Management, who leads the Office of Management, is the de- 
partment’s Chief Financial Officer. 

“FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002). 
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area, a senior agency official is to be designated chief information security officer 
(CISC). 

The May 2006 theft from the home of a VA employee of a computer and external 
hard drive (which contained personally identifiable information on approximately 
26.5 million veterans and U.S. military personnel) prompted Congress to pass the 
Veterans Benefits, Healthcare, and Information Technology Act of 2006. Under 
the act, the VA’s CIO is responsible for establishing, maintaining, and monitoring 
departmentwide information security policies, procedures, control techniques, train- 
ing, and inspection requirements as elements of the departmental information secu- 
rity program. The Act also includes provisions to further protect veterans and 
servicemembers from the misuse of their sensitive personally identifiable informa- 
tion. In the event of a security incident involving personally identifiable information, 
VA is required to conduct a risk analysis, and on the basis of the potential for com- 
promise of personally identifiable information, the department may provide security 
incident notifications, fraud alerts, credit monitoring services, and identity theft in- 
surance. Congress is to be informed regarding security incidents involving the loss 
of personally identifiable information. 

In a report released last week, we stated that although VA has made progress 
in addressing security weaknesses, it has not yet fully implemented key rec- 
ommendations to strengthen its information security practices. It has not imple- 
mented two of our four previous recommendations and 20 of 22 recommendations 
made by the department’s inspector general. Among the recommendations not im- 
plemented are our recommendation that it complete a comprehensive security man- 
agement program and inspector general recommendations to appropriately restrict 
access to data, networks, and VA facilities; ensure that only authorized changes are 
made to computer programs; and strengthen critical infrastructure planning to en- 
sure that information security requirements are addressed. Because these rec- 
ommendations have not yet heen implemented, unnecessary risk exists that person- 
ally identifiable information of veterans and other individuals, such as medical pro- 
viders, will be exposed to data tampering, fraud, and inappropriate disclosure. 

The need to fully implement GAO and IG recommendations to strengthen infor- 
mation security practices is underscored by the prevalence of security incidents in- 
volving the unauthorized disclosure, misuse, or loss of personal information of vet- 
erans and other individuals (see table 2). These incidents were partially due to 
weaknesses in the department’s security controls. In these incidents, which include 
the May 2006 theft of computer equipment from an employee’s home (mentioned 
earlier) and the theft of equipment from department facilities, millions of people had 
their personal information compromised. 


Table 2 — Number of Incidents by Type Reported to VA’s Network and 
Security Operations Center from January 2003 to November 2006 


Type of incident involving the loss of per- 
sonal information 

2003 

2004 

2005 

2006“ 

Records lost or misplaced 

19 

58 

41 

316 

Records or hardware stolen 

7 

9 

14 

65 

Improper disposal of records 

10 

27 

10 

80 

Unauthorized access 

60 

120 

112 

255 

Unencrypted e-mails sent 

8 

13 

16 

170 

Unintended disclosure or release 

22 

48 

24 

199 

Total number of incidents 

126 

275 

217 

1,085 


Source: GAO analysis of VA data on incidents. 

^Numbers reported are from January 1, 2006, to November 3, 2006. 


While the increase in reported incidents in 2006 reflects a heightened awareness 
on the part of VA employees of their responsibility to report incidents involving loss 
of personal information, it also indicates that vulnerabilities remain in security con- 
trols designed to adequately safeguard information. 


2°Veterans Benefits, Healthcare, and Information Technology Act of 2006, Pub. L. No. 109- 
461 (Dec. 22, 2006). 

21GAO-07-1019. 
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Since the May 2006 security incident, VA has begun or has continued several 
major initiatives to strengthen information security practices and secure personally 
identifiable information within the department. These initiatives include the re- 
alignment of its IT management structure, as discussed earlier. Under the realign- 
ment, the management structure for information security has changed. In the new 
organization, the responsibility for managing the program lies with the CISO/Direc- 
tor of Cyber Security (the CISC position has been vacant since June 2006, with the 
CIO acting in this capacity), while the responsibility for implementing the program 
lies with the Director of Field Operations and Security. Thus, responsibility for in- 
formation security functions within the department is divided. 

VA officials indicated that the heads of the two organizations are communicating 
about the department’s implementation of security policies and procedures, but this 
communication is not defined as a role or responsibility for either position in the 
new management organization book, nor is there a documented process in place to 
coordinate the management and implementation of the security program. Both of 
these activities are key security management practices. Without a documented proc- 
ess, policies or procedures could be inconsistently implemented throughout the de- 
partment, which could prevent the CISO from effectively ensuring departmentwide 
compliance with FISMA. Until the process and responsibilities for coordinating the 
management and implementation of IT security policies and procedures throughout 
the department are clearly documented, VA will have limited assurance that the 
management and implementation of security policies and procedures are effectively 
coordinated and communicated. Developing and documenting these policies and pro- 
cedures are essential for achieving an improved and effective security management 
process under the new centralized management model. 

In addition to the realignment initiative, the department also has others under 
way to address security weaknesses. These include developing an action plan to cor- 
rect identified weaknesses; establishing an information protection program; improv- 
ing its incident management capability; and establishing an office to be responsible 
for oversight of IT within the department. However, implementation shortcomings 
limit the effectiveness of these initiatives. For example: 

• VA’s action plan has task owners assigned and is updated biweekly, but depart- 
ment officials have not ensured that adequate progress has been made to re- 
solve items in the plan. Specifically, VA has extended the completion date at 
least once for 38 percent of the plan items, and it did not have a process in 
place to validate the closure of the items. In addition, although numerous items 
in the plan were to develop or revise a policy or procedure, 87 percent of these 
items did not have a corresponding task with an established timeframe for im- 
plementation. 

• VA installed encryption software on laptops at facilities inconsistently; however, 
VA’s directive on encryption did not address the encryption of laptops that were 
categorized as medical devices, which make up a significant portion of the popu- 
lation of laptops at Veterans Health Administration facilities. In addition, the 
department has not yet fully implemented the acquisition of software tools 
across the department. 

• VA has improved its incident management capability since May 2006 by re- 
aligning and consolidating two incident management centers, and made a nota- 
ble improvement in its notification of major security incidents to U.S.-CERT 
(the U.S. Computer Emergency Readiness Team), the Secretary, and Congress, 
but the time it took to send notification letters to individuals was increased for 
some incidents because VA did not have adequate procedures for coordinating 
incident response and mitigation activities with other agencies and obtaining 
up-to-date contact information. 

• VA established the Office of IT Oversight and Compliance to conduct assess- 
ments of its facilities to determine the adequacy of internal controls and inves- 
tigate compliance with laws, policies, and directives and ensure that proper 
safeguards are maintained; however, the office lacked a process to ensure that 
its examination of internal controls is consistent across VA facilities. 

Until the department addresses recommendations to resolve identified weaknesses 
and implements the major initiatives it has undertaken, it will have limited assur- 
ance that it can protect its systems and information from the unauthorized use, dis- 
closure, disruption, or loss. 

In our report released last week, we made 17 recommendations to assist the de- 
partment in improving its ability to protect its information and systems. These rec- 
ommendations included that VA document clearly define coordination responsibil- 
ities for the Director of Field Operations and Security and the Director of Cyber Se- 
curity and develop and implement a process for these officials to coordinate on the 
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implementation of IT security policies and procedures throughout the department. 
We also made recommendations to improve the department’s ability to protect its 
information and systems, including the development of various processes and proce- 
dures to ensure that tasks in the department’s security action plans have time- 
frames for implementation. 

In summary, effectively instituting a realignment of the Office of Information and 
Technology is essential to ensuring that VA’s IT programs achieve their objectives 
and that the department has a solid and sustainable approach to managing its IT 
investments. VA continues to work on improving such programs as information se- 
curity and systems development. Yet we continue to see management weaknesses 
in these programs and initiatives (many of a longstanding nature), which are the 
very weaknesses that VA aims to alleviate with its reorganized management struc- 
ture. Until the department fully addresses the critical success factors that we identi- 
fied and carries out its plans to establish a comprehensive set of improved manage- 
ment processes, the impact of this vital undertaking will be diminished. Further, 
the department may not achieve a solid and sustainable foundation for its new IT 
management structure. 

Mr. Chairman and Members of the Committee, this concludes our statement. We 
would be happy to respond to any questions that you may have at this time. 

Contacts and Acknowledgements 

For more information about this testimony, please contact Valerie C. Melvin at 
(202) 512-6304 or Gregory C. Wilshusen at (202) 512-6244 or by e-mail at 
melvinv@gao.gov or wilshuseng@gao.gov. Key contributors to this testimony were 
made by Barbara Oliver, Assistant Director; Charles Vrabel, Assistant Director; 
Barbara Collier, Nancy Glover, Valerie Hopkins, Scott Pettis, J. Michael Resser, and 
Eric Trout. 


Attachment 1. Key IT Management Processes 
To Be Addressed in VA Realignment 

In the following table, the priority group number reflects the order in which the 
department plans to implement each group of processes, with one being the first pri- 
ority group. 


Key area 

IT 

management 

process 

Implemen- 

tation 

priority 

group 

Description 

Enterprise man- 
agement 

IT strategy 

2 

Addresses long- and short-term objectives, business 
direction, and their impact on IT, the IT culture, 
commimications, information, people, processes, 
technology, development, and partnerships 


IT management 

2 

Defines a structure of relationships and processes to 
direct and control the IT endeavor 


Risk management 

See note a 

Identifies potential events that may affect the 
organization and manages risk to be within 
acceptable levels so that reasonable assurance is 
provided regarding the achievement of organization 
objectives 


Architecture 

management 

2 

Creates, maintains, promotes, and governs the use of 
IT architecture models and standards across and 
within the change programs of an organization 


Portfolio 

management 

1 

Assesses all applications, services, and IT projects 
that consume resources in order to understand their 
value to the IT organization 


Security 

management 

2 

Manages the department’s information security 
program, as mandated by the Federal Information 
Security Management Act (FISMA) of 2002 


IT research and 
innovation 

3 

Generates ideas, evaluates and selects ideas, 
develops and implements innovations, and 
continuously recognizes innovators and learning from 
the experience 


Project 

management 

1 

Plans, organizes, monitors, and controls all aspects of 
a project in a continuous process so that it achieves 
its objectives 
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Key area 

IT 

management 

process 

Implemen- 

tation 

priority 

group 

Description 

Business man- 
agement 

Stakeholder 

requirements 

management 

1 

Manages and prioritizes all requests for additional 
and new technology solutions arising from a 
customer’s needs 


Customer 

satisfaction 

management 

3 

Determines whether and how well customers are 
satisfied with the services, solutions, and offerings 
from the providers of IT 


Financial 

management 

1 

Provides sound stewardship of the monetary 
resources of the organization 


Service pricing 
and contract 
administration 

3 

Establishes a pricing mechanism for the IT 
organization to sell its services to internal or 
external customers and to administer the contracts 
associated with the selling of those services 


Service marketing 
and sales 

3 

Enables the IT organization to understand the 
marketplace it serves, to identify customers, to 
“market” to these customers, to generate “marketing” 
plans for IT services and support the “selling” of IT 
services to internal customers 


Compliance 

management 

2 

Ensures adherence with laws and regulations, 
internal policies and procedures, and stakeholder 
commitments 


Asset management 

1 

Maintains information regarding technology assets, 
including leased and purchased assets, hcenses, and 
inventory 


Workforce 

management 

2 

Enables an organization to provide the optimal mix 
of staffing (resources and sMlls) needed to provide 
the agreed-on IT services at the agreed-on service 
levels 


Service-level 

management 

2 

Manages service-level agreements and performs the 
ongoing review of service achievements to ensure 
that the required and cost-justifiable service quality 
is maintained and gradually improved 


IT service 
continuity 
management 

1 

Ensures that agreed-on IT services continue to 
support business requirements in the event of a 
disruption to the business 


Supplier 

relationship 

management 

3 

Develops and exercises working relationships 
between the IT organization and suppliers in order 
to make available the external services and products 
that are required to support IT service commitments 
to customers 


Knowledge 

management 

3 

Promotes an integrated approach to identif 5 dng, 
capturing, evaluating, categorizing, retrieving, and 
sharing all of an organization’s information assets 

Business appli- 
cation man- 
agement 

Solution 

requirements 

2 

Translates provided customer (business) 
requirements and IT stakeholder-generated 
requirements/constraints into solution-specific terms, 
within the context of a defined solution project or 
program 


Solution analysis 
and design 

1 

Creates a documented design from agreed-on 
solution requirements that describes the behavior of 
solution elements, the acceptance criteria, and 
agreed-to measurements 


Solution build 

3 

Brings together all the elements specified by a 
solution design via customization, configuration, and 
integration of created or acquired solution 
components 


Solution test and 
acceptance 

See note a 

Validates that the solution components and 
integrated solutions conform to design specifications 
and requirements before deployment 

Infrastructure 

Service execution 

2 

Addresses the delivery of operational services to IT 
customers by matching resources to commitments 
and employing the IT infrastructure to conduct IT 
operations 
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Key area 

IT 

management 

process 

Implemen- 

tation 

priority 

group 

Description 


Data and storage 
management 

3 

Ensures that all data required for providing and 
supporting operational service are available for use 
and that all data storage facilities can handle 
normal, expected fluctuations in data volumes and 
other parameters within their designed tolerances. 


Event 

management 

3 

Identifies and prioritizes infrastructure, service, 
business and security events, and establishes the 
appropriate response to those events. 


Availability 

management 

3 

Plans, measures, monitors, and continuously strives 
to improve the availability of the IT infrastructure 
and supporting organization to ensure that agreed-on 
requirements are consistently met 


Capacity 

management 

3 

Matches the capacity of the IT services and 
infrastructure to the current and future identified 
needs of the business 


Facility 

management 

1 

Creates and maintains a physical environment that 
houses IT resources and optimizes the capabilities 
and costs of that environment 

Service support 

Change 

management 

1 

Manages the life cycle of a change request and 
activities that measure the effectiveness of the 
process and provides for its continued enhancement 


Release 

management 

1 

Controls the introduction of releases (that is, changes 
to hardware and software) into the IT production 
environment through a strategy that minimizes the 
risk associated with the changes 


Configuration 

management 

1 

Identifies, controls, maintains, and verifies the 
versions of configuration items and their 
relationships in a logical model of the infrastructure 
and services 


User contact 
management 

3 

Manages each user interaction with the provider of 

IT service throughout its life cycle 


Incident 

management 

2 

Restores a service affected by any event that is not 
part of the standard operation of a service that 
causes or could cause an interruption to or a 
reduction in the quality of that service 


Problem 

management 

2 

Resolves problems affecting the IT service, both 
reactively and proactively 


Source: GAO. 

® The department indicated that this process had completed a pilot, but did not assign it to a priority group. 


Appendix III: Information on Selected Security Incidents at VA from 
December 2003 to January 2007 

The Department of Veterans Affairs (VA) had at least 1500 security incidents re- 
ported between December 2003 and January 2007 which included the loss of per- 
sonal information. Below is additional information on a selection of incidents, in- 
cluding all publicly reported incidents subsequent to May 3, 2006, that were re- 
ported to the department during this period and what actions it took to respond to 
these incidents. These incidents were selected from data obtained from VA to pro- 
vide illustrative examples of the incidents that occurred at the department during 
this period. 

• December 9, 2003: stolen hard drive with data on 100 appellants. A VA laptop 
computer with benefit information on 100 appellants was stolen from the home 
of an employee working at home. As a result, the agency office was going to 
recall all laptop computers and have encryption software installed by December 
23, 2003. 

• November 24, 2004: unintended disclosure of personal information. A public 
drive on a VA e-mail system permitted entry to folders/files containing veterans’ 
personal information (names. Social Security numbers, dates of birth, and in 
some cases personal health information such as surgery schedules, diagnosis, 
status, etc.) by all users after computer system changes made. All folders were 
restricted, and individual services were contacted to set up limited access lists. 
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• December 6, 2004: two personal computers containing data on 2,000 patients sto- 
len. Two desktop personal computers were stolen from a locked office in a re- 
search office of a medical center. One of the computers had files containing 
names, Social Security numbers, next of kin, addresses, and phone numbers of 
approximately 2,000 patients. The computers were password protected by the 
standard VA password system. The medical center immediately contacted the 
agency Privacy Officer for guidance. Letters were mailed to all research subjects 
informing them of the computer theft and potential for identity theft. VA en- 
closed letters addressed to three major credit agencies and postage paid enve- 
lopes. This incident was reported to VA and Federal incident offices. 

• March 4, 2005: list of 897 providers’ Social Security numbers sent via e-mail. 
An individual reported e-mailing a list of 897 providers’ names and Social Secu- 
rity numbers to a new transcription company. This was immediately reported, 
and the supervisor called the transcription company and spoke with the owner 
and requested that the file be destroyed immediately. Notification letters were 
sent out to all 897 providers. Disciplinary action was taken against the em- 
ployee. 

• October 14, 2005: personal computer containing data on 421 patients stolen. A 
personal computer that contained information on 421 patients was stolen from 
a medical center. The information on the computer included patients’ names; 
the last four digits of their Social Security numbers; and their height, weight, 
allergies, medications, recent lab results, and diagnoses. The agency’s Privacy 
Officer and medical center information security officer were notified. The use of 
credit monitoring was investigated, and it was determined that because the en- 
tire Social Security number was not listed, it would not be necessary to use 
these services at the time. 

• February 2, 2006: inappropriate access of VA staff medical records. A VA staff 
member accessed several coworkers’ medical records to find date of birth. Em- 
ployee information was compromised and several records were accessed on more 
than one occasion. No resolution recorded. 

• April 11, 2006: suspected hacker compromised systems with employee’s assist- 
ance. A former VA employee is suspected of hacking into a medical center com- 
puter system with the assistance of a current employee providing rotating ad- 
ministrator passwords. All systems in the medical center serving 79,000 vet- 
erans were compromised. 

• May 5, 2006: missing backup tape with sensitive information on 7,052 individ- 
uals. An office determined it was missing a backup tape containing sensitive in- 
formation. On June 29, 2006, it was reported that approximately 7,052 veterans 
were affected by the incident. On October 11, 2006, notification letters were 
mailed, and 5,000 veterans received credit protection and data breach analysis 
for 2 years. 

• August 3, 2006: desktop computer with approximately 18,000 patient financial 
records stolen. A desktop computer was stolen from a secured area at a con- 
tractor facility in Virginia that processes financial accounts for VA. The desktop 
computer was not encrypted. Notification letters were mailed and credit moni- 
toring services offered. 

• September 6, 2006: laptop with patient information on an unknown number of 
individuals stolen. A laptop attached to a medical device at a VA medical center 
was stolen. It contained patient information on an unknown number of individ- 
uals. Notification letters and credit protection services were offered to 1,575 pa- 
tients. 

• January 22, 2007: external hard drive with 535,000 individual records and 1.3 
million non-VA physician provider records missing or stolen. An external hard 
drive used to store research data with 535,000 individual records and 1.3 mil- 
lion non-VA physician provider records was discovered missing or stolen from 
a research facility in Birmingham, Alabama. Notification letters were sent to 
veterans and providers, and credit monitoring services were offered to those in- 
dividuals whose records contained personally identifiable information. 
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Prepared Statement of Hon. Robert T. Howard, 

Assistant Secretary for Information and 
Technology and Chief Information Officer, 

Office of Information and Technology, U.S. Department of Veterans Affairs 

Thank you, Mr. Chairman. I would like to thank you for the opportunity to testify 
on the realignment progress in the Office of Information and Technology (OIT). 

This is such a crucial issue, and I appreciate the Committee’s interest. With me 
today from OIT is Arnie Claudio (Director, Oversight and Compliance). I am also 
accompanied by: 

• Adair Martinez (Deputy Assistant Secretary for Information Protection and 
Management) 

• Jeff Shyshka (Deputy CIO for Enterprise Operations and Infrastructure) 

And on a separate panel will be Paul Tibbits (Deputy CIO for Enterprise Develop- 
ment). 

Firstly, I would like to thank you, Mr. Chairman, for giving me the opportunity 
to testify about the progress being made in OIT’s realignment. This Committee has 
demonstrated great support for and interest in this issue, and we genuinely appre- 
ciate it. 

Last week, during a similar hearing conducted by the Senate Committee on Vet- 
erans’ Affairs, I began by talking about my top seven priorities as Assistant Sec- 
retary for the Office of Information and Technology. Today, I would like to do that 
again as these priorities are guiding the realignment process we see taking place. 
Briefly, they include (1) establishing a well-led, high-performing, IT organization 
that delivers responsive IT support to the three Administrations and Central Office 
staff sections; (2) standardizing IT infrastructure and IT business processes 
throughout VA; (3) establishing programs that make VA’s IT system more inter- 
operable and compatible; (4) effectively managing the VA IT appropriation to en- 
sure sustainment and modernization of our IT infrastructure and more focused ap- 
plication development to meet increasing and changing requirements of our business 
units; (5) strengthening data security controls within VA and among our contractors 
in order to substantially reduce the risk of unauthorized exposure of veteran or VA 
employee sensitive personal information; (6) creating an environment of vigilance 
and awareness to the risks of compromising veteran or employee sensitive personal 
information within the VA by integrating security awareness into daily activities; 
and (7) remedying the Department’s longstanding IT material weaknesses relating 
to a general lack of security controls. I assure you that we are working hard to give 
these priorities the required attention. 

As you know, the Government Accountability Office (GAO) recently released a re- 
port on our realignment progress and correctly identified that there is more work 
to be done to have a successful transition from a decentralized to a centralized orga- 
nization. We have already begun implementing some of their recommendations such 
as establishing an IT governance plan, continuing with process development, and 
expediting the development of performance metrics to track realignment progress. 
Implementing these recommendations will certainly aid in the realignment. 

We have made, I believe, solid progress in other areas of this realignment. We 
have dramatically improved incident response because of the significant amount of 
policy guidance and training conducted on information protection. Since we have 
begun this, we have seen an increase in self-reporting security and privacy viola- 
tions and incidents. We are also making great improvements in the area of data pro- 
tection by encrypting over 18,000 laptops, implementing procedures for issuing 
encrypted portable data storage devices, purchasing software to address the 
encryption of data at-rest this month, reducing the use of Social Security numbers, 
and reviewing and eliminating a significant amount of personally identifiable infor- 
mation VA currently holds. Regarding these last two points, VA has drafted two 
documents outlining plans to achieve both these goals. These plans were developed 
in accordance with the Office of Management and Budget (0MB) Memorandum M- 
07-16, “Safeguarding Against and Responding to the Breach of Personally Identifi- 
able Information” and will be included in this year’s Federal Information Security 
Management Act (FISMA) report. Regarding the FISMA report, not only will we 
submit one this year, (we got an incomplete last year), but we have, for the first 
time, completed testing of over 10,000 security controls on our 603 computer sys- 
tems. Mr. Chairman, you will be pleased to know that we recently awarded a con- 
tract for extensive port monitoring, which will help us better control network ac- 
cess — a very important tool in our information protection toolkit. 

Through this realignment, we are also addressing the critical issue of asset man- 
agement. As you remember, the House Veterans’ Affairs Oversight and Investiga- 
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tions Committee recently held a hearing on VA’s IT asset management based on a 
GAO report (report 07-505) which found inadequate controls and risk associated 
with theft, loss, and misappropriation of IT equipment at selected VA locations. In 
that report, GAO found many problems regarding the IT asset management envi- 
ronment and included a number of important recommendations — with which we 
agree and are implementing. We have completed a handbook on the Control of In- 
formation Technology Equipment within the VA which includes each of the rec- 
ommendations made by (JAO in its report. These documents are now being finalized 
within the Department, but we have already implemented the procedures they de- 
scribe. They will provide clear direction on all aspects of IT asset management. 

For the past 6 months, tightening IT inventory control throughout VA has been 
the focus of a cross-functional Tiger Team. In addition, VA has issued a memo- 
randum requiring each VA facility to complete, by the end of December of this year, 
a wall-to-wall inventory of all IT equipment assets, including sensitive items, re- 
gardless of cost. Reporting requirements have been established at the Facility, Re- 
gional and Field Operations levels to ensure that issues are identified and addressed 
early in the process. By way of support, we have established an IT Inventory Con- 
trol Knowledge Center that is accessible by all VA personnel. This website provides 
references, templates, definitions, frequently asked questions and a link to contact 
the Tiger Team directly. Also, the Office of Oversight and Compliance is working 
with Tiger Team members to develop a compliance checklist that will be used for 
scheduled and unscheduled audits regarding IT assets. This initial inventory will 
help provide a VA IT asset baseline — something that has not existed before and is 
a direct result of the realignment. 

Lastly, an important and fair question to ask regarding this realignment is how 
has it impacted the delivery of healthcare and benefits to our veterans. In my opin- 
ion, there has been no significant change in these two areas — which was a key objec- 
tive of this reorganization — to do no harm. This is not to say we have not had prob- 
lems — we have. But we have also experienced improvements in our ability to gain 
knowledge over IT activities that were not very visible in the past, in IT funding 
details across the VA, and in our ability to protect the sensitive information of our 
veterans. 

In closing, I want to assure you, Mr. Chairman, that a successful realignment in 
OIT is a key goal within the VA. I have good people in my office who all share this 
commitment and work hard to achieve it. We have accomplished many things this 
past year but more remains to be done. I appreciate having this opportunity to dis- 
cuss this with you and will gladly respond to your questions. 


Prepared Statement of Arnaldo Claudio 
Exeeutive Direetor, Office of IT Oversight and Compliance 
Office of Information and Technology, U.S. Department of Veterans Affairs 

Thank you, Mr. Chairman and Members of the Committee. I appreciate the oppor- 
tunity to speak with you today on the topic of the Department’s Information Tech- 
nology (IT) reorganization and to share with you the impact and progress that the 
Department of Veterans Affairs (VA) has achieved as a result of the establishment 
of the Office of IT Oversight and Compliance (ITOC). 

ITOC was established in February of 2007, as a response to the need for the VA 
to enhance the protection of our veterans’ sensitive information. This concept was 
initially addressed by Professor Eugene H. Spafford, during his Congressional testi- 
mony shortly after the data breach of May 2006; and later By the IBM study in their 
December 2006 publication entitled: High Level Target Organizational Structure on 
VA’s IT realignment. Furthermore, in February of 2007, Secretary Nicholson con- 
veyed a strong message regarding the importance of proactively identifying, ad- 
dressing and mitigating any risks that could jeopardize the potential loss of vet- 
erans’ sensitive information. 

To fulfill this vital requirement, ITOC is charged with providing independent, ob- 
jective, and quality oversight and compliance assessment services in the area of in- 
formation and technology to include Cyber Security, Records Management, Privacy 
and Physical Security. 

The concept of ITOC is not entirely new to VA. Prior to ITOC’s establishment, 
a smaller scale initiative collocated within the Office of Cyber and Information Secu- 
rity (OCIS) known as the Review Inspection Division (RID) existed. 

In October 2002, the RID was created to fulfill the requirements set by the Office 
of Management and Budget (0MB), VA Directive 6210, VA policy and Departmental 
commitments to Congress, which mandated security audits (reviews and inspec- 
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tions) be conducted at every VA facility on a recurring basis. Although RID was 
given a mission to review the entire Department’s cyber and information security 
program at all VA facilities, it was never given sufficient resources and authority 
to carry out all but a small fraction of these tasks. Staffing was inadequate with 
only five VA employees and a handful of contractors. Considering VA has over 1200 
sites, RID was given an impossible task to perform. In addition, none of the detailed 
reports created and forwarded to OCIS senior management were approved or for- 
warded to sites. 

Today with the establishment of ITOC, that is no longer the case. We are now 
resourced and equipped to identify issues and to address our observations imme- 
diately after the completion of our assessments with the hospital leadership includ- 
ing the facility Director, Chief Information Officer, Information Security Officer, Pri- 
vacy Officer and other important members of the hospital staff; and thereafter, we 
report our findings directly to the VA CIO Mr. Robert Howard. The ITOC has the 
robustness and appropriate strategic planning, focus, and vision necessary to suc- 
cessfully address the new paradigm facing VA. 

Since its creation earlier this year, ITOC has grown from 7 to 128 employees and, 
by the end of Phase 2 in FY 2009, it is expected to have a total workforce of 165 
employees. This is in itself a success story. Most government programs take years 
before they can be stood up and become fully operational. Our employees have been 
selected from a pool of talented subject matter experts from both industry and gov- 
ernment. 

The ITOC has achieved a great deal in just a few months and it is already show- 
ing dramatic results and measurable benefits across VA. As of today, we have con- 
ducted over 100 assessments — a rate of 18 to 20 assessments per month, versus 2 
per month compared to our predecessor organization. 

We have experienced our share of significant challenges — but none so far that 
have proven impossible. The assessments performed by my staff are very thorough. 
We are working together with VHA, VBA and NCA to correct and eliminate the ex- 
isting deficiencies found hy the Inspector General (IG) and the General Accounting 
Office (GAO) over the last few years. 

As Executive Director, for the Office of IT Oversight and Compliance at VA, but 
first and foremost, as a veteran, I truly feel the responsibility for ensuring compli- 
ance with the integrity and security of VA’s sensitive information and IT assets. I 
understand that security awareness is a paradigm change — a change to our business 
operations culture and simply the way we do things. My staff and I have found that 
the field facilities welcome our independent and objective assessments as the leader- 
ship across VA continues to drive home, to each employee, the importance of secur- 
ing sensitive information. I am prepared to answer your questions today about what 
the Office of IT Oversight and Compliance is doing to effect real change to improve 
VA’s FISMA scorecard, as well as how we are working together with other VA Ad- 
ministrations to mentor, train, coach and optimize our valuable resources to better 
serve our Nation’s veterans. 

In closing, I want to assure you, Mr. Chairman, and the members of this Com- 
mittee that we will continue to he diligent in our efforts to improve and remedy VA’s 
Information Technology environment. Thank you for your time and the opportunity 
to speak on this issue. I would be happy to answer any questions you may have. 


Prepared Statement of Paul A. Tibbits, M.D. 

Deputy Chief Information Offieer, Office of Enterprise Development 
Office of Information and Technology, U.S. Department of Veterans Affairs 

Thank you, Mr. Chairman. I would like to thank you for the opportunity to testify 
on the realignment progress in the Office of Information and Technology (OIT) and 
to share with you the progress made in VA as a result of the centralization of IT 
development activities. 

Joining me on this panel is Dr. Ben J. Davoren, Director, Clinical Informatics, 
from our San Francisco Medical Center. 

This Committee has demonstrated great support for and interest in IT in the VA, 
and we genuinely appreciate it. 

You have just heard testimony from Assistant Secretary Howard regarding the 
GAO report on our realignment progress and the need for more work to be done 
to achieve successful transition from a decentralized to a centralized organization. 
While General Howard focused on the information protection aspects of the realign- 
ment, I would like to share with you our progress in establishing an IT governance 
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plan, strengthening development process improvement efforts, and fostering innova- 
tion. 

You have also heard General Howard refer to his seven (7) priorities and how 
they are guiding the realignment process. I would like to talk more about those pri- 
orities that have special significance to the Office of Enterprise Development. They 
include (1) establishing a well-led, high-performing, IT organization that delivers 
responsive IT support to the three Administrations and Central Office staff sections; 

(2) standardizing IT infrastructure and IT business processes throughout VA; 

(3) establishing programs that make VA’s IT system more interoperable and com- 
patible; (4) effectively managing the VA IT appropriation to ensure sustainment 
and modernization of our IT infrastructure and more focused application develop- 
ment to meet increasing and changing requirements of our business units. 

CIO Priorities 

First, with respect to establishing a well-led, high-performing IT organization that 
delivers responsive IT support to the three Administrations and Staff Offices, we are 
pursuing improvement of the development workforce throughout the Office of Enter- 
prise Development. In so doing, development staff will be better prepared to act as 
knowledgeable consultants at the local level to assist healthcare providers in devel- 
opment of innovation software solutions that are likely to be technically sound and 
ready for national deployment. 

To improve the capability of the VA IT development workforce we are instituting 
real-time coaching and mentoring by industry experts in best practices for systems 
development, to institutionalize these practices at the VA. 

Improving workforce capability increases the staffs readiness to perform critical 
development processes, increases the likelihood of achieving desired results from 
performing the processes, and allows the VA to realize the benehts from the invest- 
ment in process improvement for all VA facilities. 

Second, with respect to standardizing IT infrastructure and IT business processes 
throughout VA, standardization of these processes provides the baseline for meas- 
uring the effectiveness of its development process. It is the hrst step to reduce time 
to deliver applications, reduce costs to develop applications, implement business- 
driven process performance measures, and increase productivity of the development 
workforce. And it is hard work. 

For the IT development organization, our standardized processes are based on in- 
dustry best practices as codified in the Capability and Maturity Models from the 
Software Engineering Institute for both software development and workforce com- 
petency. We are using independent industry to guide us through this self-improve- 
ment initiative. 

Third, let me address establishing programs that make VA’s IT system more 
interoperable and compatible. Interoperability begins with a common understanding 
of terminology. To establish this with sufficient precision, the IT development orga- 
nization is collaborating closely with the Administrations in use of business mod- 
eling to provide a uniform basis of developing a shared understanding of new way 
to serve veterans and the information required to do so. 

Next we are engaging with the Administrations and with DoD to strengthen and 
accelerate data standardization activities within VA and with DoD. We are explor- 
ing ways to focus on high priority patient groups, such as traumatic brain injury 
and post traumatic stress disorder, while continuing the hard work of semantic 
analysis and reconciliation and the consolidation of multiple data feeds between VA 
and DoD. 

Fourth, we are focused on managing the VA IT appropriation to ensure 
sustainment and modernization of our IT infrastructure and more focused applica- 
tion development to meet increasing and changing requirements of our business 
units. We are applying life cycle and total cost of ownership management practices 
to all development projects, to account for all costs of implementation and oper- 
ations, as a foundation for budget formulation. We are moving toward clear, line- 
of-sight alignment with the VA strategic plan and the Performance Accountability 
Report by reshaping our 0MB 300 exhibits in FY 2010, creation of the first multi- 
year IT budget, and strengthening our relationship with the requirements processes 
of the Administrations and Staff offices. 

Governance 

We have established a participative, transparent IT governance process at the 
senior executive level of the VA. Decisionmakers at the VA were not equipped with 
the framework for understanding the relative importance of one dimension of project 
performance with respect to others, leading to a bias toward financial metrics dur- 
ing process prioritization. Decisionmakers lacked key information with respect to 
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project benefits and total cost to make effective decisions on priorities. We have cre- 
ated a set of organizational principles and governance structures and practices that 
surface business strategy; facilitate accurate project cost, benefit, and risk esti- 
mation, and provide a decisionmaking framework that focuses attention on a subset 
of the most critical projects and delivers timely, accurate information to the VA’s 
senior decisionmakers. 

We are strengthening the use of earned value systems in our large programs. We 
have undertaken independent assessment of the soundness of our approach to man- 
aging certain IT development projects and will expand this activity. 

We are developing management dashboards to implement early warning of issues 
with system development: 

• Project/program Status — tracking of project performance as compared to cost, 
schedule, and scope estimates. 

• Project/program data quality — ^Assesses the quality of software releases, 
through analysis of defects found and problems noted. 

• Project/program Return on Investment (ROI), earned value, and risk 
management — Compares real program ROI with estimated ROI, and uses 
earned value to serve as a leading indicator of deviation from forecasted cost 
and schedule. 

• Portfolio resouree alloeation — Determines the application of financial re- 
sources to various projects, to balance production across multiple related initia- 
tives. 

• Portfolio timelines — Provides an integrated view of program timelines, high- 
lighting the programs that will attain significant milestones or be complete by 
a specific future date. 

• Portfolio mix — Displays the mix of project spending among groups of related 
software applications. 

We are focusing intense effort on managing the execution of funds in accordance 
with established plans, to ensure projects are adequately resourced, and learning 
lessons for improvements next year. 

Promote innovation 

Challenges. The Secretary has migrated all IT activities under a single leadership 
authority, in part due to the need to drive standardization and interoperability of 
applications and infrastructure across VA. We need application development plans 
that employ industry best practices and have the potential to accelerate the success- 
ful completion of IT projects, including implementation across the VA. 

The centralized IT budget (the single IT appropriation) sets a context for competi- 
tion among new ideas, since some are not affordable. This creates the perception at 
the hospital that many good ideas are disregarded despite “local needs”, and that 
the flexibility available to VISN and hospital directors to use healthcare funds for 
IT is a constraint. This view disregards the rest of the story. Solutions developed 
locally were rarely deployed across all VA medical centers, resulting in some centers 
not getting the advantage of these IT capabilities. Furthermore, many needs were 
thought of as local, when in fact they were enterprise-wide requirements, such as 
reports to support Joint Commission accreditation visits. 

Under the single IT authority and single IT appropriation, we operate in an envi- 
ronment of financial transparency. Funds dedicated to sustainment, extending leg- 
acy systems to meet urgent needs of returning warriors, and to modernize our com- 
puting environment are now visible to senior VA executives. We have no formal 
mechanism to allocate funds to IT innovation. Unmanaged local innovation makes 
the implementation of enterprise solutions very difficult. Many IT products are oper- 
ating in various VAMCs, with no support mechanism to proliferate the more suc- 
cessful of them to all other medical centers. 

In close collaboration with VHA, we are moving to create a mechanism to deal 
with this challenge. We have developed a process to identify new ideas at the local 
level, facilitate collaboration among field developers and VAMC healthcare profes- 
sionals, to develop new software products in a non-production environment in an un- 
constrained manner. In order to enter the live production environment and assure 
deployability across all VA sites, certain technical, business value, security, and pa- 
tient safety assessments will be made and any remediation necessary applied. There 
are effectively no constraints on the trail development of new IT solutions; there are 
disciplined assessments prior to VA-wide implementation to assure safety and con- 
tinuity of operations of the IT production environment. 

The migration from the VistA legacy system to the HealthcVet platform entails 
complex development, a new programming medium, a new architecture, and estab- 
lishment of a veteran-centric medical record versus the facility-centric nature of 
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VistA. This form of innovation must be centrally managed. It is too large for local 
initiatives alone to accomplish. In addition, some forms of new IT support require 
an analysis of end-to-end processes to serve veterans, such as transition from DoD 
to VA, again not easily accomplished at the local level when complex data standard- 
ization and security issues are involved. We are attempting to strike the right bal- 
ance. 

Effective communication is critical to successful organizational change. The migra- 
tion of IT development personnel under a single IT authority will need to be sup- 
ported by a focused communications strategy and plan to avoid disruption to VA’s 
business operations and to achieve the benefits of new organization. 

We are strengthening our communications strategy for the development staff. 

There has been no significant change in the delivery of healthcare and benefits 
to veterans with this realignment. We have had some problems, but we have also 
gained valuable visibility over unknown IT activities — a definite improvement. We 
also now know more about IT funding details across the VA and have a greater abil- 
ity to protect the sensitive veterans’ information. 

In closing, let me say that we want your ideas. I want to assure you, Mr. Chair- 
man, that a successful realignment of IT development activities is a key goal within 
the VA. We have accomplished many things this past year but more remains to be 
done. I appreciate having this opportunity to discuss this with you and will gladly 
respond to your questions. 


Prepared Statement of J. Ben Davoren, M.D., Ph.D., 

Direetor of Clinieal Informaties, 

San Franciseo Veterans Affairs Medical Center, 

Veterans Health Administration, U.S. Department of Veterans Affairs 

Good morning, Mr. Chairman and Members of the Committee. Thank you for this 
opportunity to provide my personal perspective of the Veterans Affairs Office of In- 
formation and Technology (OI&T) reorganization that began in 2005. The views that 
I present today are my own and do not necessarily represent the views of the VA 
Medical Center San Francisco, Veterans Integrated Service Network (VISN) 21, or 
the Veterans Health Administration. 

I would like to preface my testimony with VHA and OI&T’s mutual goals, and 
principles in the facilitation of the reorganization. In addition, the testimony will 
discuss realignment concerns I believe were voiced from the field in 2005, my views 
of the impact of the realignment on Veterans Health Administration’s (VHA) mis- 
sions, and the regional computer system downtime of August 31, 2007, as a para- 
digm. 

Mutual Goals and Principles 

As described in a GAO interim report of June 2007, the primary goals of the 
OI&T reorganization were to centralize IT management under a department-level 
Chief Information Officer, to standardize operations, and the development of sys- 
tems across the Department using new management processes based on industry 
best practices. The VA Inspector General reported that the lack of a centralized 
structure was a major impediment to successful IT management. Events related to 
the loss or potential loss of sensitive information reinforced VA’s need to reorganize 
IT, especially in terms of data security processes. 

The OI&T stated principles for the reorganization process were that: 

• A single IT leadership management system would facilitate achievement of en- 
terprise strategic objectives, standardization, compatibility, interoperability, and 
fiscal discipline; 

• A process-focused organization and IT management system would be aligned 
with best practices for IT processes, roles, metrics, and governance; 

• Strong integration between OI&T and the business offices (VHA, Veterans Ben- 
efit Administration, National Cemetery Administration, and Staff Offices) would 
set IT strategy, determine requirements, and implement solutions; 

• Approaches to legacy and new application development would be synchronized; 

• New process-based organizational structure for the Office of the Assistant Sec- 
retary for Information and Technology would be defined; and 

• IT realignment would transform VA into a service-based IT organization with 
a client-centric IT model that aligned IT with VA business needs, priorities, and 
mission. 
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Concerns Voiced From the Field in 2005 

In response to the Secretaries proposals for IT realignment, I believe that employ- 
ees at some medical centers expressed a number of concerns about the details of 
the plan. In particular, I believe they felt that the regionalization of IT resources 
would create new points of failure that could not be controlled by the sites experi- 
encing the impact, and that the system redundancy required to prevent this was 
never listed as a prerequisite to centralization of critical patient care IT resources. 
From my point of view as the Director of Clinical Informatics, it was clear to me 
that the focus of reorganization/realignment was on technical relationships and not 
on how the missions of VHA would be communicated to the new OI&T structure. 
For example, realignment success metrics were focused on Regional Data Processing 
Center (RDPC) deliverables rather than facility needs. Finally, key facility-based IT 
staff had been tightly integrated into local Committees and planning groups as sub- 
ject matter experts, but could no longer be tasked directly by the facility Director 
to participate, and had no clear OI&T-driven incentive to continue. Ultimately, the 
concern was that in tr3dng to create a new structure in the name of “standardiza- 
tion”, support would wane to a “lowest common denominator” for all facilities, no 
matter how diverse their actual needs were. 

Impact on VHA’s Four Principal Missions 

With respect to the primary patient care mission, the good news has been that 
new policies and procedures regarding encryption of sensitive information have been 
well-publicized and have heightened the awareness of all care providers as to the 
critical nature of the information they use everyday. I think this has positively im- 
pacted the culture of VHA and improved respect for our veterans. The bad news is 
that centralization of physical IT resources to the RDPCs has directly led to more 
system downtime for individual medical centers than they have ever had before, re- 
sulting in hundreds of simultaneous threats to the safety of our veteran patients. 
In addition, it is my opinion that disagreements over whether new proposals for 
clinical application or device procurement are “IT” or “not-IT” has markedly delayed 
upgrading of aging systems and implementation of new systems for veterans’ care. 

With respect to the education mission, the good news is again that standards for 
encryption of sensitive information have heightened the awareness of all staff and 
students as to the critical nature of the information they have at their fingertips 
and the need to protect it in all settings. 

However, from my vantage, rules on encryption of all portable devices, such as 
“thumb drives”, rather than just on encrypting sensitive information, have made it 
cumbersome to go about common work, such as giving academic and scientific pres- 
entations where no sensitive information is present. Further, security rules for 
using network resources have stopped some Internet-based videoconferencing activi- 
ties between VA and non-VA colleagues, while awaiting new funding cycles to pro- 
cure next-generation equipment. 

With respect to the research mission, the proposed standardization of VHA data- 
bases as part of centralization may create significant research opportunities, and 
has been supported by the research community though, at this time, no specific 
progress has been made. Rules regarding encryption of transported sensitive infor- 
mation have been warmly received by the research community as a best practice. 
However, security rules for using network resources have stopped some Internet- 
based videoconferencing activities between VA and non-VA colleagues. Some addi- 
tional unique local IT resources have been required to maintain other research ac- 
tivities which utilize the Internet and I have concerns about how long they can con- 
tinue. 

In terms of our role in supporting the Department of Defense, I believe that initia- 
tives to enhance electronic data-sharing between VHA and DoD have proceeded ap- 
propriately. 

Impact on VHA’s Accomplishments and Morale 

In my opinion, confirmed in many conversations with my peers, there has been 
a lack of transparent communication between VHA and the reorganizing OI&T 
structure. At present, economies of scale that were a cornerstone of the OI&T re- 
alignment proposal have not been communicated to the facility level where the work 
of VHA occurs. The focus on security and data integrity has led to a number of new 
requirements with impacts that generate significant concern without a clear path- 
way to resolution. For example, to fully comply with security requirements on our 
examination room PCs, we must log out of both a clinical application such as our 
Computerized Patient Record System and the Microsoft Windows operating system 
each time we leave the room even for a moment, yet it may take as long as 12 min- 
utes to log back on when we return. Given a 20 or 30 minute visit with their vet- 
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eran patient, the clinician is thus forced to choose to “do the right thing” for either 
the patient or the system, but cannot do both. 

In my view, there remains a tremendous uncertainty about how to work with our 
longstanding IT colleagues to address local or regional clinical care, research, or 
educational needs. These arise on an almost daily basis as the result of new man- 
dates from accrediting bodies, VA performance measures, or Congressional action. 
Accountability for all these activities remains with the individual Facility Directors, 
but they no longer have the authority to task IT staff nor directly acquire techno- 
logical resources that are a part of every new idea that is put forth to meet the new 
needs. There is a sense of great inertia that overrides the anticipation of great op- 
portunities in the new OI&T structure. I believe that this has greatly slowed the 
field development process that is the very foundation of our VA-created computer 
system, VistA. 

Regional Computer System Downtime of August 31, 2007 

On August 31, 2007, the new “Region One” of OI&T-supported facilities experi- 
enced the most significant technological threat to patient safety VA has ever had — 
a 9-hour downtime during standard business hours that crippled the clinical and 
other information systems of 17 different VHA medical facilities. During the down- 
time, it became clear to me that many assumptions about the RDPC model were 
erroneous. Specifically, rather than creating a redundancy to protect facilities from 
system problems, a new single point of failure caused a problem that could never 
have been replicated without the RDPC model having been created. In this vein, the 
ability to “failover” from the RDPC in Sacramento to Denver, previously described 
as a major advantage to the RDPC model, was never taken advantage of. Electronic 
contingency systems, put in place as a part of the RDPC migration strategy, were 
unavailable or overwhelmed in four of the medical centers, despite prior experience 
that this was a known risk during the pilot phase of the RDPC collocation project. 
Lastly, and of great concern to the medical centers as a harbinger of future support, 
clinical need was expected to be the driver of the service restoration process. In- 
stead, half a day of troubleshooting and error log evaluation and analysis went by 
before the shutdown and reboot process was initiated to actually fix the problem. 

The after-action report, while done in a timely fashion and generally clear, did 
not address the two major concerns of the facilities that had to deal with the impact 
of the downtime at all. Specifically, how it could be that the RDPC model designed 
for redundancy could instead have been designed to create the single point of failure 
that facilities predicted 2 years earlier would paralyze them? Why was the “failover” 
from the Sacramento RDPC to the Denver RDPC not initiated immediately when 
the magnitude of the impact was known? Despite repeated queries about this on the 
official Region 1 VistA Outlook email thread designed to facilitate communication 
between OI&T and VHA facilities, I am unaware of whether this question was ever 
answered. 

In my view, the OI&T realignment process begun in VA in 2005 for the right rea- 
sons has been focused on technical IT issues and the reporting structure of its new 
6000-strong employee force. While there has been measurable success in those 
areas, my perspective is that this has not been the case for the planned linking of 
IT strategic planning with organizational strategic planning and communication be- 
tween all stakeholders in VA. Mr. Chairman this concludes my statement. I will be 
pleased to answer any questions that you or other Members of the Committee might 
have. 


Statement of Hon. Harry E. Mitchell, 
a Representative in Congress from the State of Arizona 

Thank you Mr. Chairman. 

Last week, the Government Accountability Office released their review of the 
progress made in reorganizing information technology at the VA. 

In October 2005, the VA began centralizing its information technology manage- 
ment structure. 

Shortly thereafter, in May 2006, a laptop theft from an employee’s home con- 
taining personal information brought the importance of this issue to light, and the 
Department’s mismanagement of the situation showed the urgency of centralization. 

The GAO report showed that the Department has not yet implemented full secu- 
rity protocols to protect veterans’ and medical providers’ personal information. 

It also highlighted the importance of an implementation team, which has also 
been previously suggested and ignored by top officials in the Department. 
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Information security is not an issue that we can take lightly these days. 

Securing the personal information of our veterans should he a high priority, and 
any breach of government security should be taken seriously. 

Following the compromised security of information at the VA in May of 2006, offi- 
cials pledged stronger action, but the security breach this past January shows that 
they have yet to deliver once again. 

Arizona leads the nation in identity theft and this report only further concerns 
me about security at the VA. 

I look forward to hearing how we can work together to address this pressing 
issue. 


Statement of Bryan D. Volpp, M.D., 

Associate Chief of Staff, Clinical Informatics, 

Veterans Affairs Northern California Healthcare System, 

Veterans Health Administration, U.S. Department of Veterans Affairs 

Good morning Mr. Chairman and Members of the Committee. Thank you for this 
opportunity to discuss the impact on patient care due to the disruption to the VISTA 
and Computerized Patient Record System (CPRS) at the VA Northern California 
Healthcare System (VA NCHCS). The VA NCHCS is an integrated healthcare deliv- 
ery system serving more 377,700 veterans dispersed over a wide area covering ten 
geographic sites. We serve approximately 70,000 unique veterans per year and aver- 
age close to 2000 visits per day. VA NCHCS offers a comprehensive array of med- 
ical, surgical, rehabilitative, primary, mental health and extended care to veterans 
in Northern California. In addition, we provide inpatient acute and critical care 
services at the Sacramento site (50 beds) and inpatient nursing home and subacute 
care (115 beds) at the Martinez site. 

Disruption to VISTA and CPRS 

On August 31, 2007, at approximately 7:30 am on Friday, VA NCHCS experienced 
a major disruption with the logons to our VistA and CPRS. The disruption resulted 
from a problem at the Sacramento Regional Data Processing Center (SRDPC) and 
affected 17 sites within VA NCHCS. 

Contingency Plan for Disruptions 

VA NCHCS immediately implemented our local contingency plan for failure, 
which consists of three backup levels. The first level backup is a switch over from 
the Sacramento Data Center to the Denver Data Center. The second level backup 
is a read-only version of the patient data. And the final level of backup is a set of 
files stored on some local PCs that contains brief summaries of a subset of the pa- 
tient data for patients who are current inpatients or who have appointments in the 
next 2 days. A key element in our contingency plan is that communication to the 
users on the cause and an estimate of length of the downtime are to be made on 
a regular basis by IRM. This did not occur. 

The contingency plans failed to stop the disruption. The switch over to the Denver 
Data Center did not occur. The read-only backup of the patient data had been made 
unavailable earlier in the week of August 31 in order for the Regional Data Center 
staff to create a new version of our test account. Test accounts are required to be 
refreshed every 4-6 months at all VA sites. With failure of the first two backup lev- 
els, we became reliant on the data stored on several local personal computers that 
could be printed. The data stored on the personal computers are health summaries. 
Health summaries are brief extracts of the record for patients with scheduled ap- 
pointments which contain recent labs, medication lists, problem lists and recent 
notes along with allergies and a few other elements of the patient record. The dis- 
ruption severely interfered with our normal operation, particularly with inpatient 
and outpatient care, and pharmacy. 

Disruption Impact on Inpatient Care 

The inpatient sites were immediately affected. The residents on rounds in all the 
impacted facilities were not able to access patient charts to review the prior day’s 
results, add or review orders. Nursing reports were interrupted because some of the 
handoffs from one shift to the next are done by reviewing activities and progress 
in the electronic record. Discharge planning for that morning was interrupted as 
well due to lack of electronic record availability. On the inpatient wards, there were 
many delays in medication administration and in discharges. The delays included 
the following: 
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• The medical staff was forced to write discharge instructions and notes on paper. 

• The electronic lists of instructions and of medications were not available for the 
patients being discharged. 

• Patients being discharged could not be given follow-up appointments at the time 
of discharge. The appointments had to be made later and the patient notified 
by phone. 

• There were delays in obtaining discharge medications and patients remained on 
the wards longer than would normally be required. 

• The nurses administered medications to the patients and used the paper MAR 
to record the administration events. Initial medication passes were interrupted 
and delayed until the paper copies of the Medication Administration Record 
(MAR) could be printed. 

The use of the paper MAR continued well after the system came back up at 
around 4 pm. This occurred because there was a delay in the automated updating 
of all the medications with new orders and changes. Until both Pharmacy and Nurs- 
ing can verify that the electronic lists have been updated and are accurate, the elec- 
tronic MAR cannot be used. One inpatient did not meet inpatient criteria but could 
not be transferred to the nursing home since adequate records were not available. 
The patient stayed an extra 4 days and required an additional nurse to stay in his 
room as a sitter until he could be transferred. 

Disruption Impact on Outpatient Care 

Outpatient activities were impacted within a few minutes after the outage. Al- 
though most clinics did not have scheduled patients until 8:00 am, many providers 
who were beginning to prepare for clinic were affected almost immediately. Consent 
forms that had been done previously for scheduled surgery and for other procedures 
were not available since these are all done electronically. The providers with patient 
appointments early in the morning had no medical records to use for these patients. 
For many of the patients, a medication list was available on paper but the paper 
health summary backups had not yet been printed. We began to instruct the users 
to print the paper health summaries for use in the clinics and on the wards just 
after 8:00 am. These were distributed as quickly as possible but for patients with 
appointments at 8:00 am to 9:00 am, very few of these summaries were available 
in time to provide the needed information to the provider while seeing the patient. 

Disruption Impact on Pharmacy 

The pharmacy quickly became overloaded with prescriptions that they were at- 
tempting to fill for patients. The labeling equipment and automated dispensing 
equipment, both linked to VistA, were unavailable. The pharmacy began to ask pa- 
tients if they could wait to have the prescriptions mailed. This problem was made 
more difficult by the fact that Monday, September 3, 2007, was Labor Day and the 
next transmission to the Centralized Mail Out Pharmacy (CMOP) would be on Tues- 
day, September 4, 2007. In addition, the transmission to the CMOP for August 31, 
2007 was scheduled for 8:00 am. This also caused a delay in patients receiving 
medications. The prescription entries completed on August 30, 2007 by the phar- 
macy were not received at the CMOP for fulfillment until September 4, 2007. 

Other Impacts Resulting From the Disruption 

The local health summaries for patients were printed in all clinic areas and on 
the wards which essentially created a temporary patient record. After 2 hours, most 
users began to record their documentation on paper. For example: 

• Paper order forms were distributed and orders were being feixed to Pharmacy 
and Radiology for inpatients and outpatients. 

• Paper prescriptions were written for outpatients. 

• Laboratory orders were written on paper and patients sent to the lab with 
paper copies of orders. 

• Multiple patients who had planned CT scans and who needed a measure of kid- 
ney function prior to the procedures had to have their blood redrawn since the 
prior results were not available. 

• Consent forms were done on paper. 

• Vital signs and screenings for depression, post-traumatic stress disorder (PTSD) 
and other interventions were recorded on paper. 

• The cardiologists could not read any of the EKGs that had been done prior to 
the failure since these had not been printed and are usually reviewed and inter- 
preted online. 

• Surgeons could not enter their operative notes in to the surgery package. 
Consults could neither be ordered or responded to or even updated. 
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• Appointments could not be made and, if a patient canceled, there was no way 
to identify other patients to fill those slots. 

Although the paper health summaries were available for patients with scheduled 
appointments, there were no records at all available for patients who came to Ur- 
gent Care or to the Sacramento ER or walk-in patients at any of the clinics. 

Prior Computer Failures 

Although we have had brief periods of scheduled and occasionally unscheduled 
computer failure in the past, many of these were isolated to one site or one building 
and none lasted as long as the disruption experienced on August 31, 2007. Our con- 
tingency plans had been implemented successfully as drills during many of these 
periods. During prior outages, the local IT staff had always been very forthcoming 
with information on the progress of the failure and estimated length even in the 
face of minimal or no knowledge of the cause. To my knowledge, this was absent 
during the most recent outage. 

Disruption Recovery 

Once the disruption was resolved, a tremendous amount of work was undertaken 
to restore the integrity of the electronic record. Laboratory and pharmacy staff 
worked late that Friday night and over the weekend to update the results and or- 
ders in the electronic record and to enter all the new orders and outpatient prescrip- 
tions. Complete recovery in the pharmacy took over a week. Administrative staff 
worked for over 2 weeks to complete the checkouts on all the patients who were 
seen that day. However, entering checkout data on all these patients many days 
after the fact is potentially inaccurate. Many providers have gone back into CPRS 
and tried to reconstruct notes that summarize the paper notes that they wrote in 
order to mitigate the risk of missing information. 

This work to recover the integrity of the medical record will continue for many 
months since so much information was recorded on paper that day. When you con- 
sider that hundreds of screening exams for PTSD, depression, alcohol use, and 
smoking, and entry of educational interventions, records of outside results, dis- 
charge instructions and assessments are all now on paper and are not in a format 
that is easily found in the electronic record, the burden of this one failure will per- 
sist for a long time. This adds an additional load for the staff to have to pull up 
the paper records from that day and presents a risk that some important facts or 
results collected on that day will be missed at some point in the future. For exam- 
ple, consent forms done that day for future procedures will not be in the same loca- 
tion as our usual consent forms since these were done on paper and scanned into 
the record during recovery. 

In summary, there were severe impacts to patient care, timeliness of care and the 
integrity of the medical record due to the disruption and these affects will persist 
for some period of time into the future. Mr. Chairman, this concludes my statement. 


POST HEARING QUESTIONS AND RESPONSES FOR THE RECORD 


Committee on Veterans’ Affairs 
Washington, DC. 
October 3, 2007 


Honorable Gordon Mansfield 
Acting Secretary 

U.S. Department of Veterans Affairs 
810 Vermont Ave., NW 
Washington, DC 20420 

Dear Mr. Mansfield: 

In reference to our Full Committee hearing VA IT Reorganization: How Far Has 
VA Come? on September 26, 2007, I would appreciate it if you could answer the en- 
closed hearing questions by the close of business on November 14, 2007. 

In an effort to reduce printing costs, the Committee on Veterans’ Affairs, in co- 
operation with the Joint Committee on Printing, is implementing some formatting 
changes for materials for all full committee and subcommittee hearings. Therefore, 
it would be appreciated if you could provide your answers consecutively and single- 
spaced. In addition, please restate the question in its entirety before the answer. 
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Due to the delay in receiving mail, please provide your response by fax to Debbie 
Smith at 202-225-2034. If you have any questions, please call 202-225-9756. 


Sincerely, 


DT:ds 


BOB FILNER 
Chairman 


Questions for the Record 
The Honorable Boh Filner, Chairman 
House Committee on Veterans’ Affairs 
September 26, 2007 

VA IT Reorganization: How Far Has VA Come? 

In the September 26, 2007, report of Valerie Melvin, Director of Human Capital 
and Management Information Systems Issues at GAO (“GAO Statement”), GAO stat- 
ed: 

As part of the new organizational structure, the department identified 25 of- 
fices whose leaders will report to the five deputy assistant secretaries and are 
responsible for carrying out the new management processes in daily oper- 
ation. However, as of early September 2007, seven of the leadership positions 
for these 25 offices were vacant, and four were filled in and acting capacity. 

Question 1: Please identify for each of those 25 offices: 

a. the name of the office and its function; 

b. the date on which the leadership position in each office was filled and the per- 
son filling the position; 

c. for offices for which the leadership position is filled on an acting basis, the date 
on which the leadership position in each office was filled on an acting basis, 
the person filling the position, and the date by which the position will be per- 
manently filled; and, 

d. for offices for which the leadership position is vacant, the date by which the 
position will be permanently filled. 

Response: 


Office Name/Function 

Permanent 
Person & 
Date Posi- 
tion Filled 

Acting Per- 
son & Date 

Date Vacant 
Position 
Projected to 
be Filled 

1. Privacy and Records Management — Integrates 
privacy considerations into the way the Depart- 
ment of Veterans Affairs (VA) uses technologies 
and handles information. Oversees compliance 
with Privacy Act of 1974, Freedom of Information 
Act, Health Insurance Portability and Account- 
ability Act (HIPAA), Electronic (^Communications 
Privacy Act, Office of Management and Budget 
(0MB) Circular A-130, and Government Paper- 
work Reduction Act. Completes privacy impact as- 
sessments on new programs. 

Sally Wallace, 
10/1/2006 

N/A 

N/A 

2. Cyber Security — Sets policy and oversees imple- 
mentation and operation of VA’s information tech- 
nology (IT) security program. Providing informa- 
tion security protection commensurate with risk 
and magnitude of harm resulting from unauthor- 
ized access, use, disclosure, disruption, modifica- 
tion or destruction of: (1) Information collected or 
maintained by or on behalf of VA, (2) Information 
systems used or operated by VA or by a contractor 
of VA or other organization on behalf of VA. 

Jaren Doherty, 
2/4/2008 



3. Education and Training — Oversees VA-wide 
cyber security training, education and awareness 
program, as well as VA annual information secu- 
rity conference. Manages VA’s internal informa- 
tion security working group. Ensures VA policies 
comply with regulatory requirements and legis- 
lated mandates. 

Terri Cinnamon, 
11/8/2007 

N/A 
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Office Name/Function 

Permanent 
Person & 
Date Posi- 
tion Filled 

Acting Per- 
son & Date 

Date Vacant 
Position 
Projected to 
be Filled 

4. Risk Management & Incident Response — De- 
velops cost effective strategies for IT risk manage- 
ment (encompassing IT risk, business continuity 
management and information security manage- 
ment) for data processing environments under the 
control of the Chief Information Officer (CIO). 

Katherine 

Maginnis, 

4/29/2007 

N/A 

N/A 

5. Business Continuity — Manage processes to 
identify potential threats to business continuity 
and develops capability to effectively safeguards 
interest of its key stakeholders. 

Andres Lopez, 
10/29/2007 

N/A 

N/A 

6. Enterprise Architecture — Develops an enter- 
prise-wide technical architecture that enables the 
business activities of VA and facihtates the adap- 
tation of technology to meet the changing business 
needs. 

Scott Cragg, 
8/22/2004 

N/A 

N/A 

7. Business Relationship Management — Nego- 
tiates business requirements on behalf of the ad- 
ministrations with IT solution providers. 

Vacant 

Ross Smith, 
11/11/07 

3/31/2008 

8. IT Strategy and E-Gov — Leads ad-hoc teams of 
information architects, in developing, best prac- 
tices and standards that will integrate paper proc- 
esses into electronic systems. 

Loise Russell, 
4/24/2007 

N/A 

N/A 

9. Research and Innovation — Identifies new tech- 
nologies that provide benefit to VA and enables 
improved level of service to veterans. 

Vacant 

N/A 

12/1/2008 

10. Portfolio Programming and Management — 

Assist in developing IT project management plans, 
and investment protocols, to meet legislative re- 
quirements of Federal capital asset programs 

Vacant 

Tim Weigel, 
11/11/2007 

3/31/2008 

11. Program Management — Oversees integrated 

IT management process, reviews milestones and 
assures IT projects are on schedule, within budget 
and meet performance criteria. 

Vacant 

Michael Osband, 
1/28/2008 

3/31/2008 

12. Information Technology Comptroller — Man- 
ages financial processes of the Office of Informa- 
tion and Technology (OIT) including budget formu- 
lation and execution, cost accounting, cost recov- 
ery, cost allocations, charge-back models, and rev- 
enue accounting. 

Len Bourget, 
2/18/2007 

N/A 

N/A 

13. Human Resource Career Development — 

Aligns OIT human resource management with 

VA’s Office of Human Resource and Administra- 
tion (HRA) and the Office of Personnel Manage- 
ment. 

Vacant 

Thomas Barritt 

2/28/2008 

14. IT Capital Planning and Investment Man- 
agement — Plans and controls IT budgets; and 
evaluates financial performance. 

Vacant 

Karen Kemmet, 
7/1/2007 

3/17/2008 

15. Asset Management — Provides users with hard- 
ware and software needed to do their jobs in the 
most cost effective manner. 

Gary Shaffer, 
12/9/2007 

N/A 

N/A 

16. Vendor and Supplier Management — Devel- 
ops, implements, and manages sourcing strategies 
to improve the process of negotiating and man- 
aging IT contracts and evaluating vendor perform- 
ance. 

Vacant 

N/A 

12/1/2008 

17. Veterans Health IT Development Program 
Executive Office (PEO) — Manages IT develop- 
ment activities in support of the Veterans Heath 
Administration (VHA). 

Vacant 

Jackie Gill, 
9/15/2007 

3/31/2008 

18. Veterans Benefits IT Development PEO — 

Manages IT development activities in support of 
the Veterans Benefit Administration (VBA). 

Richard Culp, 
4/1/2007 



19. IT Development Resource Management 

PEO — Manages development, integration and im- 
plementation of new enterprise applications within 
resource management systems portfolio. 

Joseph Bond, 
4/1/2007 
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Office Name/Function 

Permanent 
Person & 
Date Posi- 
tion Filled 

Acting Per- 
son & Date 

Date Vacant 
Position 
Projected to 
be Filled 

20. Memorial Adairs IT Development PEO — 

Manages the development, integration and imple- 
mentation of new enterprise applications within 
the National Cemetery Administration (NCA). 

Dan Pate, 
9/30/2007 

N/A 

N/A 

21. Field Operations and Security — Manages 
day-to-day IT operations, data centers, IT services 
and IT security across 4 geographic regions. 

Raymond 

Sullivan, 

10/29/2006 

N/A 

N/A 

22. Infrastructure Engineering — Tests, evaluates 
and certifies software and hardware prior to de- 
ployment. Responsible for change management, 
systems engineering, configuration management, 
release management, production control and main- 
tenance. 

Charles 

DeSanno, 

1/2/2007 

N/A 

N/A 

23. Corporate Franchise Data Center — Provides 

IT services to VA medical centers, regional offices, 
national cemeteries, and other VA and non-VA or- 
ganizations. 

Vacant 

John Rucker, 
8/1/2007 

3/17/2008 

24. Field Business Operations and Services — 

Controls and improves the processes, services and 
outcomes relative to end user support, network 
services and security services. 

Gary Twedt, 
10/29/2006 

N/A 

N/A 

25. Network and Telecom — Providing tele- 
communication systems to support VA require- 
ments. 

David Cheplick, 
7/22/2007 

N/A 

N/A 


Question 1(e): In addition, please provide organization charts showing the re- 
porting relationships of the 25 offices to the five deputy assistant secretaries. 

Response: See Attachment 1 on next page. 






85 



Attachment 1 



Question 2: Please provide a timeline for completion separately for each of the 
following three: 

Question 2(a): The 36 new processes of the IT management processes, including 
the 9 of the 36 that the VA began implementing in March 2007. 

Response: The 36 core IT business processes are undergoing process improve- 
ment, ultimately resulting in the development of a series of improved, standardized 
processes across all business lines. These improved processes will be developed by 
teams of experts, documented, and disseminated across VA to ensure that they are 
repeatable by all VA IT entities. The availability of standard operating procedures 
will not only ensure consistency from site to site, but will also prevent duplication 
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of effort in developing them. VA process maturity levels will evolve and improve 
over time based on continuous refinement and process improvement. 

The timeline for the 36 core IT management processes calls for implementation 
by July 2008. We have completed process redesign pilot programs for two: (1) risk 
management and (2) solution test and acceptance. In addition, Process Manuals 
exist for 27 of the processes, either in draft or final version. Key meetings have been 
held for 20 of the processes, with approximately 8 more planned for the week of Feb- 
ruary 11, 2008. The attached spreadsheet provides the details for each of the 36 
processes. 

The approach and schedule for process implementation has been revised, based 
upon lessons learned from the pilot programs and current implementation experi- 
ences. We are streamlining the process improvement approach in order to meet the 
July 2008 timeframe. 

Attachment 2 provides a listing of all 36 processes and the status of each. 

Attachment 2 

Status of 36 New IT Management Processes 

3/13/2008 



Process 

Status of Process 


Manual 

Procedurefs) 

or Guidance 

Process 

Complete 

In Review 

Complete 

Capital Planning & Investment Control 

✓ 


✓ 

Project Management 

draft 

✓ 


Service Level Management 

draft 

✓ 


Architecture Management 




Customer Satisfaction Management 




Data and Storage Management 




IT Research & Innovation 




IT Strategy 

draft 



Knowledge Management 




Service Marketing and Sales 




Stakeholder Requirements Mgmt 




Asset Management 

✓ 

✓ 


Financial Management 

draft 



Supplier Relationship Management 




Workforce Management 

draft 



Compliance Management 

✓ 


✓ 

Change Management 

✓ 

✓ 


Configuration Management 

✓ 

✓ 


Facility Management 

draft 



Release Management 

✓ 

✓ 


Service Execution 

draft 



Availability Management 

draft 



Capacity Management 

draft 



Event Management 

draft 
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Process 

Status of Process 


Manual 

Proced.ure(s) 

or Guidance 

Process 

Complete 

In Review 

Complete 

Incident Management 

draft 



Problem Management 

draft 



Service Pricing & Contract Admin 

draft 



User Contact Management 

draft 



Solution Test and Acceptance 

✓ 



Solution Analysis and Design 

✓ 



Solution Build 

✓ 



Solution Requirements 

✓ 



Risk Management 

✓ 



IT Service Continuity Management 

draft 

✓ 


Security Management 


✓ 


IT Management System Framework 

✓ 




Question 2(b): The 20 out of the 22 information security-related recommenda- 
tions made by the inspector general in 2006, including any updates on the status 
of the 2 of 22 implemented. The status and targeted completion date of the 17 
FISMA related findings made by the VA Office of Inspector General recommenda- 
tions in its annual FISMA report for fiscal year 2005, issued in September 2006. 

Response: The 22 recommendations related to information security made by the 
Inspector General in 2006 consist of: 

• The 17 recommendations in the Office of Inspector General (OIG) Fiscal Year 
(FY) 2005 Audit of VA Information Security Program (report number 05-00055- 
216 dated September 20, 2006); and 

• The five recommendations from the OIG Report: Review of Issues Related to the 
Loss of VA Information Involving the Identity of Millions of Americans (report 
number 06-02238-163 dated July 11, 2006). 

• In addition to the 22 recommendations, 13 recommendations were made as a 
result of the OIG’s FY 2006 audit work and are published in the OIG’s FY 2006 
Audit of VA’s Information Security Program (report number 06-00035-222) 
dated September 28, 2007. 

Recommendations number 6 and 12 from the OIG FY 2005 Audit of VA Informa- 
tion Security Program (report number 05-00055-216 dated September 20, 2006) 
have been closed out by the OIG. All of the recommendations and status are listed 
below: 

Target completion dates for corrective action have been included below, where 
available. Data Security — Assessment and Strengthening of Controls Program (DS- 
ASC) personnel will be working with personnel responsible for implementation of 
corrective action to obtain target completion dates for all OIG recommendations 
shown below. 

Recommendations from FY 2005 Audit of VA Information Security Program, 
Report Number 05-00055-216, September 20, 2006 

Recommendation 1. Implement a centralized IT management approach; apply 
appropriate resources; establish, clarify, and modify IT policies and procedures pur- 
suant to organizational changes; and implement and enforce security controls. 

Status: Corrective Action Still in Process. 

All IT personnel and the entire IT budget have been placed under the control of 
the Assistant Secretary for OI&T, who serves as the VA CIO. Over the past year, 
the CIO has issued policies, procedures, and directives implementing this new, cen- 
tralized management concept to include VA Directive 6500, Information Security 
Program and its accompanying handbook, VA Handbook 6500. Several other policies 
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providing guidance regarding implementation of IT security controls are either in 
draft or in concurrence. 

In addition, the CIO is centrally managing implementation, enforcement, and re- 
mediation of IT security controls throughout VA via the data security assessment 
and strengthening of controls (DS-ASC) program and has established the Office of 
IT Oversight and Compliance (ITOC) which consolidates existing IT security activi- 
ties into one office to assist in centralizing enforcement of IT security controls. 

Recommendation 2. Develop and implement solutions for the establishment of 
a patch management program. 

Status: Corrective Action Still in Process. The enterprise framework (EF) will 
provide centralized IT infrastructure management by asset management and soft- 
ware delivery (inventory and configuration) and interface with the patch manage- 
ment process (portal and policy compliance). The current project status is as follows: 

• Completed proof of concept with the integration of two Veteran’s Integrated 
Service Networks (VISN). The second quarter of FY 2007 focused on developing 
configuration and process baselines. This was followed by deploying and inte- 
grating three additional VISNs, to form a centrally managed Region, during the 
third quarter of FY 2007 through the third quarter of FY 2008. This will be 
repeated in Regions 2, 3, and 4. 

• VA has deployed a vulnerability and patch remediation solution (i.e., Harris 
STAT Guardian and previously Citadel Hercules) that the field has been using 
since 2003 to scan systems and remediate deficiencies. VA has over 300 dedi- 
cated Harris STAT servers providing scan and automated patch capabilities 
across the VA IT enterprise today. This does not include other patch remedi- 
ation tools that have been deployed locally such as systems management server 
and update expert. VA has spent approximately $15M since 2003 on an enter- 
prise-wide vulnerability and patch remediation solution. The long term solution 
is to leverage the EF to provide this capability. 

In addition, other completed actions to implement a patch management program 
for the VA enterprise are as follows: 

1. Current practices have been gathered (completion date August 2007). 

2. Patch management working group charter, process, and list of deliverables 
have been developed (completion date October 2007). 

3. Patch management working group and working group lead have been identi- 
fied (completion date December 2007). 

4. Memorandum issued, titled Enterprise Patch Management Requirements, de- 
tailing VA’s patch management program’s roles and responsibilities, key per- 
sonnel contact information, and standard operating procedures for field imple- 
mentation (completion date December 2007). 

Other actions that still need to be accomplished include: 

1. Review of all current patch management practices across VA, target date for 
completion is late March 2008. 

2. Development of VA patch management policy, target date for completion is 
May 2008. 

3. Development of a patch management program to support configuration man- 
agement procedures, target date for completion is November 2008. 

4. Implementation of the patch management program and training plans enter- 
prise wide, target date for completion is September 2009. 

Recommendation 3: Identify and implement solutions for resolving access con- 
trol vulnerabilities, ensure segregation of duties, remind all sites to confirm virus 
protection fields are updated prior to authorizing connection to their networks, and 
resolve all self-reported access control weaknesses. 

Status: Corrective Action Still in Process. VA IT Directive 06-1, Data Seeurity: 
Assessment and Strengthening of Controls, dated May 24, 2006, established a pro- 
gram to remediate the IT security controls material weakness. As a result the DS- 
ASC plan was developed to address deficiencies. The target date for resolution of 
these deficiencies is third quarter of FY 2008. 

Recommendation 4: Review and update all applicable position descriptions to 
better describe sensitivity ratings, better document employee personnel records and 
contractor files to include signed “Rules of Behavior” instructions, annual privacy 
and HIPAA training certifications, and position sensitivity level designations. 
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Status: Corrective Action Still in Process. 

With issuance of the Secretaries June 28, 2006 memorandum, the Assistant Sec- 
retary for OI&T now has complete responsibility and authority for information secu- 
rity policies, procedures, and practices to include risk and sensitivity levels of em- 
ployee position descriptions. 

Position descriptions and their corresponding sensitivity designations are being 
reviewed for consistency VA wide. Based on the results of these reviews, self certifi- 
cations from VA’s organizational components indicate that VA has requested ap- 
proximately 95 percent of its required background investigations. 

In addition, a VA national Rules of Behavior document is included in an appendix 
to the recently published VA Handbook 6500 and will be signed by personnel with 
access to VA information systems and placed in the appropriate file. VA reported 
to 0MB that 95 percent of its employees completed FY 2007 cyber security aware- 
ness training. 

Recommendation 5: Timely request the appropriate levels of background inves- 
tigations on all applicable VA employees and contractors. Additionally, monitor and 
ensure timely requests for reinvestigations on all applicable employees and contrac- 
tors. 

Status: Corrective Action Still in Process. 

Department wide, implementation of this recommendation is approximately 95 
percent complete. The Department is awaiting input from the remaining organiza- 
tions to certify that all required background investigations have been initiated. 

In December 2006, the Office of Security & Law Enforcement within the former 
Office of Policy, Planning and Preparedness published a notice providing guidance 
for requesting the appropriate level of backgrounds for contractors and the proper 
procedures for processing these requests. Additionally, VA Directive 0710 was re- 
vised and has been placed in the concurrence process. The amended Directive 0710 
provides more detailed guidance for processing employee and contractor background 
investigations. VA Handbook 0710 is currently being revised and is planned to be 
completed within the next several months. 

The Security and Investigations Center (SIC) has developed and is using a com- 
puter tracking system that will automatically generate a notice to the SIC staff 
when an employee or contractors is due a background reinvestigation. This tracking 
system will ensure that a timely notice is sent to the employee or contractor when 
reinvestigation packets are due to be completed. 

Recommendation 6: Provide our office the results of researching the benefits 
and costs of deploying intrusion prevention systems (IPS) at all sites. 

Status: Closed by the OIG. 

Recommendation 7: Continue efforts to strengthen critical infrastructure plan- 
ning, complete the critical infrastructure protection plan, and ensure infrastructure 
planning addresses Executive Order 13231, and other information security require- 
ments. 

Status: Corrective Action Still in Process. 

VA has completed the following critical infrastructure protection actions: 

• Security training was provided to the appropriate personnel assigned to the 
Network and Security Operations Center (NSOC). The new hires will have 
training this year. 

• Encryption software was installed on all laptops by September 2006. 

• The Critical Infrastructure Protection (CIP) division is implementing the public 
key infrastructure (PKI) solution. Over 135,000 PKI certificates have been 
issued to date. 

• VA has a continuity of operations plan (COOP) and comprehensive emergency 
program plan. OI&T participates in VA’s annual master COOP plan test. Pri- 
mary responsibility for the VA’s master COOP plan rests with the Office of Op- 
erations, Security, and Preparedness (OSP). VA has issued Directive and Hand- 
book 0320, Comprehensive Emergency Management Program. Both are dated 
March 24, 2005. VA also has an OI&T COOP plan which was posted to VA 
Intranet in June 2003. 

• VA’s critical infrastructure protection contingency plan references Homeland Se- 
curity Presidential Directive — HSPD 7, Homeland Security Act 2002, National 
Response Plan, and National Incident Management System (NIMS) plus other 
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historical cyber security requirements. The CIP division is working with the Of- 
fice of Cyber Security to incorporate the requirements, recommendations and 
guidelines into the policies and procedures. Target completion date is August 
2008. 

• The CIP division is installing network intrusion prevention (NIP) devices capa- 
ble of monitoring and blocking network traffic. The VA NSOC is performing an 
analysis to see what other locations can benefit from the NIP units. This is an 
ongoing process where we continuously re-evaluate to ensure the VA has ade- 
quate coverage with regards to the NIPS. 

Recommendation 8: Collaboratively test ITC COOPs in a joint effort with all 
tenant groups (VHA, VBA, NCA, and other program offices) to ensure that backup 
sites will support all mission related operations, and report test results to our office 
for further review. 

Status: Corrective Action Still in Process. 

The Corporate Franchise Data Center (CFD), Austin Campus (formerly the Austin 
Automation Center or AAC) conducts COOP tests annually and has integrated its 
COOP test with the organizations collocated at its facility. The test includes the fol- 
lowing: 

1. Verifying the ability of CFD, Philadelphia Information Technology Center 
(ITC), and Hines ITC staff to recover the CFD Mission Critical and Essential 
Support systems currently replicated to the Philadelphia and Hines ITCs. Ex- 
amples of Mission Critical and essential Support systems include applications 
such as PAID, VETSNET and FMS. 

2. Testing the ability of the CFD to use its workspace recovery facility for CFD 
staff to remotely log onto CFD recovery platforms using the OneVA virtual pri- 
vate network (VPN). 

3. Testing CFD, Philadelphia Insurance, and Veterans Benefits Administration 
(VBA) Benefits Delivery Network (BDN) end-to-end transmission of files be- 
tween the Hines ITC, Philadelphia ITC, Financial Services Center (FSC) Waco 
facility, and Treasury’s Hyattsville Processing Facility. 

4. Testing Beneficiary Identification and Records Locator System (BIRDS) 
functionality between the Hines and Philadelphia ITCs. 

The last disaster recovery (DR) exercise for the CFD, Austin Campus was con- 
ducted in August 2007; the next exercise is scheduled for August 2008. Mission crit- 
ical and essential support applications are tested with resident organization input 
during the annual DR exercise. Table top tests were performed on routine applica- 
tions in 2007. 

The Philadelphia ITC established an agreement between the ITC, Philadelphia 
Regional Office and Insurance Center (ROIC), and the Philadelphia VA Medical 
Center (VAMC) that established a command post at the VAMC for key ITC and 
ROIC personnel for disaster recovery purposes. The Philadelphia ITC conducted full 
DR tests for the VBA Web applications and the Insurance Payment System in ApriP 
May 2007. A BDN disaster recovery test by Hines and Philadelphia staff was per- 
formed in Philadelphia July 9-12, 2007. A joint exercise including tenants is 
planned in 2008; however, this will be a simulated or desktop exercise and not a 
full DR test. The next VBA web application disaster recovery test is scheduled for 
the May-June 2008 timeframe at Hines Information Technology Center. We also 
plan to conduct the Insurance Payment System disaster recovery test during this 
same timeframe. 

The Hines ITC maintains a comprehensive DR plan for the legacy Benefits Deliv- 
ery Network (BDN). The disaster recovery exercise in July 2007 successfully dem- 
onstrated that the Bull and IBM BDN disaster recovery infrastructure at the Phila- 
delphia ITC is capable of executing the BDN online and batch processing in the 
event of a real disaster. This plan is exercised annually in the summer months. The 
Hines ITC conducted a joint table-top exercise in December 2007. 

Recommendation 9: Address all self-reported deficiencies identified as the result 
of completed C&A and related review work. 

Status: Corrective Action Still in Process. 

In May 2006, the CIO issued VA IT Directive 06-1, Data Security: Assessment 
and Strengthening of Controls. This directive established a program to remediate IT 
security controls deficiencies. From this DS-ASC plan was developed which address- 
es deficiencies resulting from completed certification and accreditation (C&A) work, 
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details of which are contained in the plans of actions and milestones (POA&M) sec- 
tion of the security management and reporting tool (SMART) database. 

The Office of Oversight and Compliance has been established to ensure continuity 
and followthrough on remediation of these deficiencies. 

Recommendation 10: Determine the extent to which uncertified Internet gate- 
ways continue to exist, and take actions to upgrade and terminate external connec- 
tions susceptible to inappropriate access. 

Status: Corrective Action Still in Process. 

NCA shut down its Internet gateway on June 20, 2006. 

VBA shut down its Internet gateway a year ago. VBA continue to maintain a pri- 
vate T1 connection to benefits delivery discharge (BDD) centers at two military fa- 
cilities in Korea and Germany. VBA routes no other data traffic to them, and they 
are getting ready to ship preconfigured firewalls to these centers. The T1 connec- 
tions will be removed within the next 3 months and the traffic will route through 
a virtual private network (VPN) when the firewalls are installed. 

VHA’s VISN 20, 21, and 22 have migrated its traffic to the enterprise cyber secu- 
rity infrastructure program (ECSIP) and have shut down their external connections; 
however, VHA has identified additional external business connections that require 
business partner gateway (BPG) VPN connections. These connections are docu- 
mented, justified, and submitted to the enterprise security cyber control board 
(ESCCB) for approval. 

The Environmental Protection Agency (EPA) connection moved to the ECSIP gate- 
way and the moving of the remaining connections is contingent on ESCCB approval. 
In March 2007, the AAC moved all of it’s existing site-to-site VPN connections to 
the AAC’s Internet firewall, and then moved the AAC’s Internet firewall’s and fran- 
chise firewall’s internal interfaces from the internal gateway to the VA wide area 
network (WAN). This was necessary to complete the process of moving site-to-site 
VPNs and Internet facing web servers to the VA WAN for Internet access, thus al- 
lowing the shutdown of the supporting Internet service provider. ESCCB approval 
is pending for a plan to migrate the Internet facing web servers as the next step 
in the process. 

Significant progress is being made with migrating Corporate Franchise Data Cen- 
ter (CFD) (formerly Austin Automation Center) remaining customers off of the CFD 
Internet gateway. DoD traffic will be migrated by the end of February 2008 and all 
other customers such as Home TeleHealth (HTH), Workman’s Compensation, and 
the National Archives and Records Administration (NARA) will be completely mi- 
grated by June 30th, 2008. 

Recommendation 11: Improve configuration management practices by identi- 
fying, replacing, or justifying the continuance of older operating systems that are 
vulnerable to security breaches. 

Status: Corrective Action Still in Process. 

VA has been upgrading its computers to the Microsoft Windows XP operating sys- 
tem and also has been upgrading peripheral devices, as necessary. 

All VBA workstations are operating under Windows 2000, and all VBA servers 
are operating under Windows 2003. Implementation plans are underway for 
workstation upgrades to Windows XP. However, the conversion to newer operating 
systems for VBA platforms is dependent upon upgrading the applications systems 
code to use the newer operating systems capabilities. The applications upgrade has 
been estimated at approximately $2 million and will take approximately 2 years to 
complete. Application upgrading will begin and the conversion to a newer operating 
system can be accomplished at the end of this upgrade process. VA is currently 
working to develop requests for waivers for these applications until the application 
upgrade can be accomplished. 

In VHA most desktop systems or IT servers use the latest operating system, Win- 
dows XP. The exceptions to this rule includes specialized equipment incorporating 
an operating system such as three V-Tel systems in VISN 17 using Windows 98 
and one telephone switch in VISN 19 using Windows 98 as well as medical devices. 
The V-Tel systems and telephone switch are connected via a virtual local area net- 
work (VLAN) that provides isolation from the facility LAN which is being replaced. 
All medical equipment, regardless of the operating system, is required by VHA pol- 
icy to be connected to facility networks using the VA isolation architecture. Some 
medical systems cannot be upgraded. 

Configuration management has been addressed in the recently published VA 
Handbook 6500. In addition, a plan to address configuration management defi- 
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ciencies was completed in August 2007. Minimum configuration settings for infor- 
mation technology products were established in September 2007 and submitted in 
October 2007 to the configuration management technical working group (CM/TWG) 
for finalization and approval in conjunction with enterprise change and configura- 
tion management processes. In September 2007 VA decided on replacement require- 
ments for personal equipment. 

Field security operations are in the process of defining a process to standardize 
operating systems and applications. Processes are also being developed for moni- 
toring system changes and their impacts. Target date for completion is late March 
2008 with final completion dependent on the CMATWG and the testing/procurement 
of an enterprise management framework (EMF) toolset to support these processes. 
The CM/TWG has a target completion date of September 30, 2008, to develop the 
needed change control procedures, and the EMF project has a target completion 
date of FY 2009, with pilot testing in the last quarter of FY 2008. 

Recommendation 12: Complete actions to relocate and consolidate VACO’s data 
Center. 

Status: Closed by the OIG. 

Recommendation 13: Develop and implement VA-wide application program/op- 
erating system change control procedures to ensure consistent documentation and 
authorization practices are deployed at all facilities. 

Status: Corrective Action Still in Process. 

Change control, as a required security control defined in the National Institute 
of Standards and Technology (NIST) Special Publication 800-53, is included in the 
recently published VA 6500 Handbook. A new technical oversight Committee has 
been established, chaired by the Office of Development, and will review the need 
for specific and separate change control policy beyond the scope of VA Handbook 
6500. 

Additionally, the IT regional data processing change management process is es- 
tablishing integrated change control and ultimately a full change management proc- 
ess. The current outcome is a change management process with an interim defini- 
tion established in a January 29, 2007 memorandum — Regional Data Processing In- 
formation Technology Change Management Interim Process — which focuses on 
change requests that may impact the infrastructure or operating environment of the 
regional data processing. The work group will establish a full change management 
process and ultimately configuration management. This workgroup and processes 
are linked with VBA’s architecture change and review board, AAC’s change manage- 
ment process and change control board, and ESCCB. This work group will look at 
incorporating other change control processes such as those used by VA developers. 
There is a process definition technical work group that will define the VA process 
for change management. 

Related actions that have been completed regarding implementation of change 
controls throughout the VA enterprise include: 

1. Current change control practices have been gathered, completion date August 

2007. 

2. Change control working group charter, process, and list of deliverables have 
been developed, completion date October 2007. 

3. Change control working group and working group lead has been identified, 
completion date December 2007. 

Related actions that still need to be accomplished regarding change controls in- 
clude: 

1. Review all current practices across VA focusing on the impact to operating sys- 
tems including security, target date for completion is late March 2008. 

2. Develop change control policy, target date for completion is May 2008. 

3. Develop change control procedures, target date for completion is November 

2008. 

4. Implement change controls and training plans VA wide, target date for comple- 
tion is September 2009. 

Recommendation 14: Strengthen physical access controls to correct previously 
reported physical access control deficiencies, develop consistent standardized phys- 
ical access control requirements, policies, and guidelines throughout VA. 

Status: Corrective Action Still in Process. 
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The OSP has revised VA Directive and Handbook 0730, including Appendix B, 
Physical Security Requirements and Options. Along with other major changes, the 
revised 0730 document contains updated requirements for the physical access of pro- 
tect IT spaces, such as computer rooms and telecommunication/data connections. 
This directive is currently pending departmental concurrence. After concurrence is 
received, in accordance with title 38 section 901 it must then be submitted to the 
Department of Justice for review prior to publication. The Office of Operations, Se- 
curity and Preparedness anticipates it may not be until the end of FY 2008 before 
the revised VA Directive and Handbook 0730 Directive and Handbook are released. 

Physical and environmental controls have been addressed nationally in the re- 
cently published VA Handbook 6500. Resolution of physical access control defi- 
ciencies is an iterative process. VA IT Directive 06-1, Data Security — Assessment 
and Strengthening of Controls, dated May 24, 2006, established a program to reme- 
diate the IT security controls material weakness. As a result the DS-ASC plan was 
developed to address the physical access control deficiencies mentioned above. Tar- 
get date for remediation of these deficiencies is the third quarter of FY 2008. 

The Office of Information and Technology Office of Oversight and Compliance has 
been established to ensure continuity and followthrough on remediation of physical 
access control deficiencies. In order to highlight the necessary physical security re- 
quirements, the Office of Information and Technology Oversight and Compliance 
(ITOC) worked closely with representatives from the Office of Operations, Security 
and Preparedness to develop an Information Physical Security (IP) checklist to be 
utilized by ITOC during assessments of VA facilities. The IP checklist has been 
added to the assessment protocols. The initial prototype was tested at a number of 
VA facilities and was well received by Facility Directors, CIOs, Information Security 
Officers, Chiefs of Police, and others. An early observation indicates it will prove in- 
valuable to direct attention to physical access issues. The ITOC assessment teams 
are also continuing to stress the applicable security controls from the NIST 800- 
53 protocols during the assessments. 

An Information Memorandum, to be jointly issued by the Assistant Secretary for 
Operations, Security and Preparedness and the Assistant Secretary for Information 
and Technology, is being prepared. This joint memorandum will form the basis of 
a physical security awareness campaign. This memorandum is expected to be re- 
leased sometime in mid-FY 2008. 

Recommendation 15: Reduce wireless security vulnerabilities by ensuring sites 
have an effective and up-to-date methodology to protect against the interception of 
wireless signals and accessing the network. Additionally, ensure the wireless net- 
work is segmented and protected from the wired network. 

Status: Corrective Action Still in Process. 

Wireless laptops on VA networks are protected and separated from the wireless 
network by AirFortress. Methods used to protect the interception of wireless signals 
and accessing the network are included in VA’s Wireless and Handheld Device Secu- 
rity Guideline, Version 3.2, dated August 15, 2005. 

VHA and VBA have installed AirFortress wireless security gateway to secure 
their wireless LAN systems. All wireless data traffic is routed through the 
AirFortress wireless security gateway before it is transmitted on VA network. The 
AirFortress wireless security gateway not only provides encryption of data between 
the wireless client and the security gateway, it also provides firewall functionality 
and limits access to VA network to only authorized devices and users. Since firewall 
functionality has already been provided as part of the AirFortress solution there is 
no need to install an additional firewall between AirFortress and VA network. 

VA recognizes that any secure wireless LAN system will include a wired/wireless 
network border gateway security device that will enforce an access control policy be- 
tween the wired and wireless network thereby limiting access to only authorized 
users on authorized ports, all features of a firewall. 

However, additional work needs to be done in the wireless area. Blackberries and 
PalmPilots connecting to the network are not encrypted. Encryption for these de- 
vices is being piloted. In addition, the NSOC is establishing a wireless assessment 
program that will identify and assist the field with remediation of wireless security 
vulnerabilities. 

Recommendation 16: Identify and deploy solutions to encrypt sensitive data and 
resolve clear text protocol vulnerabilities. 

Status: Corrective Action Still in Process. 
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VA has taken several actions toward the protection of sensitive information. By 
September 15, 2006 the VA encrypted over 15,000 laptops. Simultaneously, VA de- 
veloped and implemented procedures to ensure that all laptops have applied up- 
dated security policies and removed all sensitive information that was not author- 
ized to be stored on the devices. This procedure will continue to occur throughout 
the Department routinely and is one measure VA has undertaken to protect infor- 
mation. 

VA has begun deploying technology to ensure information is protected and is iden- 
tifying and leveraging existing technologies that will contribute to protecting VA in- 
formation. These technologies and the status of their deployments are shown below: 

• Sanctuary port security and device control technology. Sanctuary has been de- 
ployed and is operational in Region 4 (Northeastern United States). Sanctuary 
is actively restricting the use of non-VA approved universal serial bus devices 
on VA computers. The technical documentation, architecture design, server con- 
figuration, and project documentation created during Region 4 deployment are 
being leveraged by the rest of the enterprise as they begin deployment of the 
technology. Region 3 (Southern/near Midwestern United States) will be the next 
region to deploy Sanctuary and is in the process of procuring hardware to sup- 
port its implementation. Subsequently, Region 1 (Western United States), Re- 
gion 2 (Southwestern/far Midwestern United States), the Corporate Franchise 
Data Center (Austin, Texas), VBA, and NCA will deploy. 

• Microsoft Rights Management Services (RMS) technology to safeguard digital in- 
formation from unauthorized use. VA completed the deployment of over 157,000 
RMS clients across the enterprise in FY 2007. VA procured robust hardware to 
support the operations of RMS for the enterprise, thus enabling VA to use the 
current hardware for the infrastructure for the RMS continuity of operations. 
VA has begun to test the external provisioning component for RMS which will 
extend the RMS functionality of protecting emails and documents to VA busi- 
ness partners. Without the external provisioning component, VA business part- 
ners, such as the Department of Justice, cannot read email messages that are 
sent with RMS security controls applied. 

• Attachmate host integration and secure network transmission technology. In 
2007 VA conducted pilot testing of Attachmate technology across all of VA’s Re- 
gions. The pilot included the installation and testing of the terminal emulator 
client in unencrypted mode and then encrypted mode. This technology will be 
able to encrypt information sent across VA network from applications such as 
VistA (veterans health information systems and technology architecture), CPRS 
(computerized patient record system), and IFCAP/ETA (integrated funds dis- 
tribution, control point accounting and procurement/enhanced time and attend- 
ance). VA has developed the various configurations depending on how the prod- 
uct will be used to include the corresponding technical documentation. The in- 
stallation package and the technical documentation will be posted to a share 
point and made available for sites to acquire this information and the file. Re- 
gion 4 will be the first to deploy the client in an encrypted mode throughout 
their region. 

• Cisco and BigFix secure remote access technology. The secure remote access 
project, also known as the remote enterprise security compliance update envi- 
ronment (RESCUE), proof of concept was successfully completed in mid-October 
2007. The RESCUE solution consists of Cisco technology for enforcement and 
network access control and BigFix for remediation of non-compliant devices. Re- 
cently, VA NSOC installed a portion of the hardware to support RESCUE in 
the Reston gateway. In January 2008 a small user group test was conducted 
out of the Reston gateway. Simultaneously, RESCUE hardware and software 
will be installed in the remaining gateways by February 2008. The virtual pri- 
vate network (VPN) user-base will be migrated to the RESCUE solution by 
June 2008. 

Recommendation 17: Conduct validation tests in conjunction with remediation 
efforts to ensure all information and data retained in the SMART database is accu- 
rate, complete, and reliable. 

Status: Corrective Action Still in Process. ITOC performs validation tests of 
SMART database as part of their assessments. To date numerous assessments have 
been conducted by ITOC. ITOC has validated internal processes and procedures in 
the identification and accuracy of POA&M items and has stressed to the field the 
need to ensure updated information is incorporated into SMART. The ITOC inspec- 
tion checklist has been modified to add additional task lines to verify entries in 
SMART. Target completion date is April 1, 2008. 
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Recommendations from OIG Report: Review of Issues Related to the Loss of 
VA Information Involving the Identity of Millions of Americans, Report 
# 06-02238-163, Issued July 11, 2006 

Recommendation 1: Establish one clear, concise VA Policy on safeguarding pro- 
tected Information when stored or not stored in VA automated systems, ensure that 
the policy is readily accessible to employees, and that employees are held account- 
able for non-compliance. 

Status: Closed by the OIG based on the issuance of VA Handbook 6500, Informa- 
tion Security Program, on September 18, 2007 and meeting with OIG on September 
7, 2007. 

Recommendation 2: Modify the mandatory Cyber Security and Privacy Aware- 
ness training to identify and provide a link to all applicable laws and VA policy. 

Status: Corrective Action Completed. Cyber security and privacy awareness train- 
ing modules have been updated. The privacy awareness training module has been 
updated and now contains links to applicable laws and VA policy. It has been pro- 
vided to the OIG for review. The FY 2008 cyber security awareness training was 
made available on October 1, 2007. All applicable VA policy and Federal laws are 
linked on the reference page of the online training course. VA is currently working 
with the OIG to close out this Issue. 

Recommendation 3: Ensure that all position descriptions are evaluated and 
have proper sensitivity level designations that there is consistency nationwide for 
positions that are similar in nature or have similar access to VA protected informa- 
tion and automated systems, and that all required background checks are completed 
in a timely manner. 

Status: Corrective Action Still in Process. 

• New fields have been added to VA payroll system to reflect position risk/sensi- 
tivity levels for each VA position and background investigation levels for each 
employee. 

• The revised version of VA Directive 0710, Personnel Suitability and Security 
Program, is still in concurrence. In addition, the accompanying handbook, VA 
Handbook 0710, is under development by OSP. 

VA will ensure that all background investigations are requested, and as appro- 
priate, adjudicated when completed, in the required timeframes and will monitor 
the status of investigations performed by outside entities. VA cannot ensure back- 
ground investigations are completed in a timely manner as VA does not conduct 
background investigations; these are performed by the Office of Personnel Manage- 
ment. 

Self-certifications from VA’s organizational components indicate that VA has re- 
quested approximately 95 percent of its required background investigations. 

Recommendation 4: Establish VA-wide policy for contracts for service that re- 
quires access to protected information and/or VA automated systems, that ensures 
contractor personnel are held to the same standards as VA employees, and that in- 
formation accessed, stored or processed on non-VA automated systems is safe- 
guarded. 

Status: Closed out by the OIG based on the issuance of VA 6500 Handbook, Infor- 
mation Security Program, dated September 18, 2007. 

Recommendation 5: Establish VA policy and procedures that provide clear, con- 
sistent for reporting, investigating, and tracking incidents of loss, theft, or potential 
disclosure of protected information or unauthorized access to automated systems, in- 
cluding specific timeframes and responsibilities for reporting within the VA chain- 
of-command and, where appropriate, to OIG and other law enforcement entities, as 
well as appropriate notification to individuals whose protected information may be 
compromised. 

Status: Closed by the OIG based on the issuance of VA Handbook 6500, Informa- 
tion Security Program, on September 18, 2007 and meeting with OIG on September 
7, 2007. 
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Recommendations from OIG’s FY 2006 Audit of VA’s Information Security 
Program, Report Number 06-00035-222, dated September 28, 2007. 

Recommendation 1: Provide for the maintenance of appropriate documentation 
of completed background investigations for employees and contractors. 

Status: Corrective Action Still in Process. Documentation of completed back- 
ground investigations will be maintained for employees and contractors in accord- 
ance with VA policies and procedures. 

Recommendation 2: Require contractors with access to VA systems to complete 
cyber security awareness training in accordance with 0MB A-130. 

Status: Corrective Action Still in Process. Paragraphs 2 and 3f of VA Directive 
6500, Information Security Program, dated August 4, 2006, requires annual security 
awareness training for all contractors with access to VA sensitive information and 
information systems. VA 6500 Handbook, Information Security Program, issued on 
September 18, 2007, also requires that contractors take this training. 

In addition, VA has developed standard contract language to be used in all VA 
contracts regarding protection of VA information and information systems which 
will incorporate the requirement for contractors to complete annual security aware- 
ness training. The contractual language is still undergoing Departmental concur- 
rence. Target date for obtaining concurrence on this contract language is April 2008. 

Recommendation 3: Develop and implement a methodology to assess the effec- 
tiveness of VA’s Intrusion Prevention Systems in protecting VA systems and data 
from inappropriate access. 

Status: Corrective Action Still in Process. VA will implement a method to evalu- 
ate the effectiveness of VA’s IPS. 

Recommendation 4: Develop a comprehensive COOP for OI&T and update and 
finalize the OI&T appendix within the VA Master COOP to include its essential 
functions, emergency relocation group, mission critical systems, and vital records in 
accordance with the Federal Preparedness Circular 65, Federal executive branch 
Continuity of Operations. 

Status: Corrective Action Still in Process. VA has a master COOP and com- 
prehensive emergency program plan. Primary responsibility for VA’s master COOP 
plan rests with the OSP. OI&T is a part of and participates in VA’s annual master 
COOP plan tested. 

OI&T has its own COOP plan which was posted to the VA Intranet in June 2003. 
This plan is contained in OI&T Handbook 0320, Continuity of Operations, Planning 
Procedures and Operational Requirements. The purpose of the OI&T COOP plan is 
to: 

a. Provide command and control of IT assets during emergency situations to en- 
sure continuation of mission-critical and mission-essential operations. 

b. Provide a coordinated response and recovery effort to effectively mitigate an 
emergency or disaster. 

c. Ensure the Assistant Secretary for OI&T can perform its mission-critical and 
mission-essential responsibilities during and after an emergency situation. 

d. Ensure the safety and welfare of VA IT staff both during and after an emer- 
gency situation. 

e. Provide a mechanism for the prompt notification of all VA IT personnel during 
an emergency situation. 

f Reconstitute, as rapidly as possible, IT systems that are adversely affected due 
to an emergency or disaster. 

g. Develop mitigation strategies that will ensure the survival of VA’s critical IT 
infrastructure. 

h. Support regular training and exercises designed to enable personnel to perform 
assigned emergency management duties. 

i. Provide a standardized format for reporting the status of essential IT systems 
and functions. 

This plan applies to all VA IT staff, and contractors, and its mission of supporting 
VA Central Office (VACO) with IT, information management, record management, 
cyber security, and telecommunications. The plan addresses emergency prepared- 
ness activities to ensure business continuity. Preparedness activities include plans, 
procedures, readiness measures, and mitigation strategies that enhance VA’s ability 
to respond to and recover from a designated emergency. 
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OI&T will complete the identification and prioritization of its critical information 
assets, essential functions, emergency relocation group, mission critical systems, and 
vital records and will update and finalize its appendix section within the VA master 
COOP to make it current with the OI&T reorganization. 

Recommendation 5: Ensure the C&A work is complete and that the C&A certifi- 
cations are supported by the work performed. 

Status: Corrective Action Still in Process. Certification and accreditation (C&A) 
work for VA’s information systems is complete. Re-accreditation for the vast major- 
ity of VA’s systems (which were accredited in August 2005) is due to be completed 
in August 2008. 

In 2006, VA contracted with an outside firm to perform an independent validation 
and verification (IV&V) of its 2005 C&A effort. VA will review the issues and rec- 
ommendations contained in the contractor’s IV&V report, along with the issues 
identified on pages 11-13 of this audit report, and make the appropriate revisions 
to VA’s C&A policy to ensure that future C&As are performed according to NIST 
800-37. 

In 2006, VA contracted with an outside firm to perform an independent validation 
and verification (IV&V) of its 2005 C&A effort. VA has reviewed the issues and rec- 
ommendations contained in the contractor’s IV&V report and will make the appro- 
priate revisions to its ongoing reaccreditation efforts to ensure that certification and 
accreditation efforts (C&A) are properly documented and cross-referenced. 

Recommendation 6: Develop a Department-wide configuration management 
plan/security configuration policy. 

Status: Corrective Action Still in Process. Configuration management has been 
addressed in the recently published VA Handbook 6500. Additional policy regarding 
this issue still needs to be developed. 

To date the following actions have been completed regarding implementation of 
a configuration management plan for the VA enterprise: (1) current configuration 
management practices have been gathered (August 2007), (2) the current status of 
the VA configuration management program policy and handbook have been deter- 
mined (July 2007), (3) a configuration management working group charter, process, 
and list of deliverables has been established/developed; and (4) a configuration man- 
agement working group has been established and a working group lead has been 
identified (December 2007). 

Tasks that still need to be accomplished are: (1) a review of all current configura- 
tion management practices across the VA enterprise (target completion date is late 
March 2008), (2) development of VA configuration management policy (target com- 
pletion date is May 2008), (3) development of configuration management plans to 
support change control procedures (target completion date is November 2008), and 
(4) execution of configuration management implementation and training plans VA- 
wide, target completion date is September 2009. 

Recommendation 7: Verify information categorization and risk assessments re- 
lating to sensitive information are in accordance with FIPS 199. 

Status: Corrective Action Still in Process. VA IT Directive 06-1, Data Security — 
Assessment and Strengthening of Controls, dated May 24, 2006, established a pro- 
gram to remediate the IT security deficiencies. The DS-ASC plan, was developed 
to address deficiencies. VA has established a data control board to classify VA data 
which will assist in the implementation of this recommendation. 

Recommendation 8: Develop and fully implement procedures for protecting sen- 
sitive information accessed remotely or removed from VA facilities in accordance 
with NIST SP 800-53. 

Status: Corrective Action Still in Process. VA IT Directive 06-1, Data Security — 
Assessment and Strengthening of Controls, dated May 24, 2006, established a pro- 
gram to remediate the IT security deficiencies. This is already being partially ad- 
dressed through the introduction of new software. 

Recommendation 9: Complete the implementation of two-factor authentication 
in accordance with NIST SP 800-53. 

Status: Corrective Action Still in Process. VA IT Directive 06-1, Data Security — 
Assessment and Strengthening of Controls, dated May 24, 2006, established a pro- 
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gram to remediate IT security deficiencies. This issue has heen provided to DS-ASC 
personnel for incorporation into the DS-ASC program. A consolidated program for 
identity management has already been established to partially address this defi- 
ciency. 

A target date has not been established. With the initiation of the DS-ASC con- 
tract award, milestones are being developed and target dates will be established in 
the next 2 or 3 months. 

Recommendation 10: Identify solutions and an implementation plan for a work- 
able time-out function for remote access through VPN in accordance with NIST SP 
800-53. 

Status: Corrective Action Still in Process. While this recommendation is being ad- 
dressed in the DS-ASC, it cannot be currently implemented as the 30 minute time- 
out feature for inactivity does not always work as intended with technology cur- 
rently deployed. This limitation can be attributed to the frequent system activity 
caused by certain software products (e.g., host based IPS) which makes the VPN 
connection appear to be active, therefore never reaching the 30 minutes threshold 
of inactivity. 

While the applications in use do timeout, the VPN sometimes does not. VA feels 
that the timeout capability provided by the current suite of deployed software is 
enough to mitigate this risk. VA will search for solutions to this issue in its next 
generation of RESCUE software. 

Recommendation 11: Complete implementation of security control measures in- 
volving access to sensitive information by non-VA employees. 

Status: Corrective Action Still in Process. This recommendation is being added 
as a task to the DS-ASC and will address the five areas of improvement identified 
in the OI&T August 25, 2006 briefing to the former Secretary. 

Recommendation 12: Implement a standardized security program for use by all 
of VA’s national and regional data centers to facilitate more consistent security pro- 
gram assessment and monitoring. 

Status: Corrective Action Still in Process. A standardized security program for 
the data centers will be developed and implemented. 

Recommendation 13: Institute mechanisms to notify all VA facilities of the spe- 
cific security issues identified in this report and from future testing so that appro- 
priate corrective actions can be taken on these issues if they exist at other facilities. 

Status: Corrective Action Still in Process. The OIG FY 2006 FISMA audit report 
has been distributed to personnel who have overall responsibility for implementa- 
tion of corrective action (champions and project managers) shown in the data secu- 
rity-assessment and strengthening of controls (DS-ASC) program. This report, and 
all subsequent similar reports, will be posted to the VA Intranet by the end of 
March 2008 so that deficiencies identified in these reports can be made available 
to OI&T personnel located at other VA facilities. An e-mail will be sent notifying 
OI&T personnel of each report’s availability and VA Intranet location. 

Question 3: What has been accomplished since June 2007 in fully implementing 
the IT Governance plan? Are all governance boards in place and operating? 

Response: Implementation of the IT governance plan is the responsibility of the 
VA Executive Board, the Strategic Management Council (SMC) and VA senior lead- 
ership; not just OI&T. IT governance is an integral part of VA-wide governance and 
aligns to VA’s business strategies and objectives. Trust must be built among the 
stakeholders in the management of IT in VA. Implementing VA IT governance in- 
volves shared decisionmaking through the IT governance boards, based on the guid- 
ing principle of aligning IT strategy and goals to business strategy and goals. 

Since June 2007, each of the IT governance boards played an integral part in 
identifying and prioritizing the myriad requirements that the business units have 
to contend with. The Planning, Technology and Services (PATS) Board developed 
the FY 2009 program with input from the business units and stakeholders. The 
Business Needs and Investment Board (BNIB) developed FY 2008 execution strat- 
egy and FY 2009 funding recommendations. The Information Technology Leadership 
Board (ITLB) carried the message of the PATS and BNIB to the highest levels of 
VA’s leadership and recommended that the Deputy Secretary approve the IT budg- 



99 


ets. The FY 2009 budget submission was unanimously approved by the SMCA^A En- 
terprise Board (VAEB). 

Question 4: With respect to the VistA outage on August 31, 2007, described in 
the testimony of Dr. Volpp, please state what actions are being taken to ensure that 
such an outage does not occur in the future. In addition, state whether the “failover” 
function between the two western data centers is sufficient to ensure uptime of 
VistA sufficient to meet the healthcare needs of VHA, the reason(s) the “failover” 
function is or is not able to meet those needs, and, if the “failover” is not sufficient 
to meet those needs, what remediation will be undertaken. 

Response: The root-cause of the outage on August 31, 2007 was lack of adher- 
ence to change management procedures by VA staff. Staff has been retrained in 
change management procedures and compliance is being closely monitored. Senior 
management have communicated to staff that any future outage with similar cause 
may result in disciplinary actions against those individuals not adhering to the pro- 
cedures. 

The “failover” function is in place and able to meet the healthcare needs of VHA 
in this region. Failover capability has been successfully tested as recently as Sep- 
tember 16, 2007. 

Failover capability is a core system design requirement of the regional data proc- 
essing program and as such is available if an event occurs that warrants that ac- 
tion. The design is intended for disaster situations. Although it takes up to 4 hours 
to failover once the decision is made to do so, sites do have “read only” capability 
available. During the August 2007 outage, “read only” capability was available to 
all affected sites. 

The outage that took place on August 31, 2007 at the west coast Regional Proc- 
essing Center (RPC) in Sacramento was precipitated by a change that was made to 
the running environment without formal approval. Additionally, this unapproved 
change was made incorrectly — resulting in a number of systems being taken offline, 
rendering the entire system unavailable. Based on detailed analysis, the Depart- 
ment is instituting a number of improvements and architectural changes to the RPC 
on the west coast in order to ensure efficient day to day processing, increased avail- 
ability and enhancement of failover of resources in the event of a disaster. The RPC 
was originally architected to ensure continuity of operations during a Katrina like 
episode or other regional disaster. The Department has also engaged a contractor 
for an independent analysis of the RPC. The results of that engagement have not 
been delivered as of yet. This information will also be used to validate or enhance 
the department’s architectural decisions. 

These changes in the RPC environment will ensure that VA moves closer to a 
more highly available environment for the VistA systems that serve the Depart- 
ment’s medical centers and clinics. Already, the RPC on the east coast is providing 
very high availability. The scheduled and unscheduled downtime metrics for VistA 
in those data centers fall into the “Best In Class” category as defined by Gartner — 
their most stringent category. While hardware augmentation and realignment of 
systems will improve availability in the west coast data centers and with the VistA 
platform design in general — it should be noted that the Department’s aging VistA 
application must also be examined. 

The Department has launched an assessment team to review “Class 3” applica- 
tions. It is believed that certain class 3 code can negatively affect the health and 
performance of a running VistA system. The team embarked upon its analysis at 
a VA facility — the San Francisco VAMC — where the presence of Class 3 code is sig- 
nificant. We are examining efficiency of Class 3 code, adherence to standards, and 
scalability qualities — in order to ensure efficient use ability at a RPC. 

In closing, we believe the availability needs of the organization will be met by the 
continued application of engineering enhancements to the RPC infrastructure as 
well as the analysis and renovation of Class 3 code. Disaster recovery failover capa- 
bilities have been in place since the launch of the RPCs and will also continue to 
be enhanced by the engineering changes being implemented already, with others on 
the immediate horizon. In the end, however, the application is what dictates, in 
great part, limitations on performance and availability. The current VistA applica- 
tion has roots and elements that are more than 20 years old. Until the advent and 
full deployment of HealtheVet — which brings significant renovation of the aging 
VistA code by rearchitecting using industry best practices including Service Ori- 
ented Architecture (SOA) — overall availability for VistA can be optimized only to a 
point but will still fall in Gartners’s “Outstanding” or “Best in Class” categories. 

Question 5: GAO identified “dedicating an implementation team to manage 
change” as a critical success factor to the department’s implementation of a central- 
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ized structure. The department is currently managing the realignment through two 
organizations: the Process Improvement Office under the Quality and Performance 
Office and the Organizational Management Office. The Executive Director of the Or- 
ganizational Management Office has recently resigned his position, leaving one of 
the two offices without leadership. Please explain the following: 

Question 5(a): Why did VA decide to manage the realignment through two orga- 
nizations rather than dedicating a single implementation team to manage change? 
What is the benefit to having two organizations over one? 

Response: Since the executive director of the Organization Management Office 
resigned, the deputy director of the Office of Quality and Performance has been as- 
signed the responsibility to advise the principal deputy assistant secretary (PDAS) 
and Assistant Secretary for OI&T on realignment issues in addition to continuing 
the process improvement effort. 

Overall, IT executive leadership team is responsible for meeting established per- 
formance goals related to the implementation of the IT realignment. For example, 
the Information Protection and Risk Management (IP&RM) organization is respon- 
sible for ensuring proper policies and procedures are in place to protect personally 
identifiable information of both veterans and employees, as is ITOC. The Resource 
Management (RM) organization is responsible for career management, funds execu- 
tion and asset management. Similarly, the Office of Enterprise Development (OED) 
ensures appropriate processes are implemented as IT products are developed. Enter- 
prise Operations and Infrastructure (EO&I) is measured on their compliance to 
service level agreements and the Office of Enterprise Strategy, Policy, Plans and 
Programs (OESPP&P) ensures multi-year programming and project management 
activities are implemented as well as developing and describing IT strategic plan 
goals. Each component of OI&T has developed performance metrics, which will be 
tracked and managed to ensure goals are met and performance shortfalls identified. 
Additionally, processes for the 36 major IT business areas have been defined and 
are in the initial implementation stages. Recently, OI&T has streamlined the orga- 
nizational management of the realignment to one office, the Office of Quality and 
Performance. This organization will be responsible for ensuring IT process imple- 
mentation, performance management, as well as program evaluation and analysis 
and will advise the PDAS and Assistant Secretary for OI&T on realignment per- 
formance goals and areas for improvement. 

Question 5(b): Who will be held responsible in tracking implementation goals 
and identifying performance shortfalls? Who will be held accountable if the imple- 
mentation goals are not met and performance shortfalls are realized? 

Response: Overall, the IT executive leadership team is responsible for meeting 
established performance goals related to the implementation of the IT realignment. 
For example, IP&RM organization is responsible for ensuring proper policies and 
procedures are in place to protect personally identifiable information of both vet- 
erans and employees, as is ITOC. The RM organization is responsible for career 
management, funds execution and asset management. Similarly, OED ensures ap- 
propriate processes are implemented as IT products are developed, EO&I is meas- 
ured on their compliance to service level agreements and OESPP&P ensures multi- 
year programming and project management activities are implemented as well as 
developing and describing IT strategic plan goals. Each component of OI&T has de- 
veloped performance metrics, which will be tracked and managed to ensure goals 
are met and performance shortfalls identified. Additionally, processes for the 36 
major IT business areas have been defined and are in the initial implementation 
stages. Recently, OI&T has streamlined the organizational management of the re- 
alignment to one office, the Office of Quality and Performance. This organization 
will be responsible for ensuring IT process implementation, performance manage- 
ment, as well as program evaluation and analysis and will advise the PDAS and 
Assistant Secretary for IT on realignment performance goals and areas for improve- 
ment. 

Question 5(c): Who is currently advising and assisting the CIO since the Execu- 
tive Director of the Organizational Management Office resigned? 

Response: The Deputy Director of the Office of Quality and Performance is as- 
signed the responsibility to advise and assist the Principal Deputy Assistant Sec- 
retary and Assistant Secretary for IT on realignment issues. 
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